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FOREWORD 


This  report  is  intended  solely  for  use  by  management  of  the  Defense  Finance  and 
Accounting  Service  (DFAS),  Defense  Information  Systems  Agency  (DISA),  and  Naval 
Supply  Information  Systems  Activity  (NAVSISA),  the  Defense  Property  Accountability 
System  (DPAS)  user  organizations,  and  the  independent  auditors  of  such  user 
organizations.  Department  of  Defense  personnel  who  manage  and  use  the  DPAS  will 
also  find  this  report  of  interest  as  it  contains  infonnation  about  DPAS  general  and 
application  controls. 

The  Department  of  Defense  Office  of  Inspector  General  (DoD  OIG)  is  implementing  a 
long-range  strategy  to  conduct  audits  of  DoD  financial  statements.  The  Chief  Financial 
Officer’s  Act  of  1990  (P.L.  101-576),  as  amended,  mandates  that  agencies  prepare  and 
conduct  audits  of  financial  statements.  The  reliability  of  information  in  DPAS  directly 
impacts  DoD’s  ability  to  produce  reliable,  and  ultimately  auditable,  financial  statements; 
which  is  key  to  achieving  the  goals  of  the  Chief  Financial  Officer’s  Act. 


DPAS  provides  financial  reporting  capability  for  capital  assets  (assets  with  a  value 
greater  than  $100,000),  and  asset  accountability  for  more  than  10.6  million  property 
assets  (assets  with  a  value  less  than  $100,000)  valued  at  approximately  $48.3  billion  as 
of  February  2005.  DPAS  provides  standard  general  ledger  accounting  in  conformance 
with  the  United  States  Government  Standard  General  Ledger  (USSGL)  at  the  transaction 
level  and  subsidiary  reporting  for  capital  assets.  DPAS  tracks  accountability  for  various 
types  of  property  including  personal  property,  real  property,  and  heritage  assets.  DPAS 
has  security  features  that  provide  asset  visibility  at  many  levels  based  on  users’  roles  and 
needs. 

This  audit  assessed  controls  over  DPAS  accountability  of  assets  totaling  approximately 
$48.3  billion.  This  report  provides  an  opinion  on  the  fairness  of  presentation,  the 
adequacy  of  design,  and  the  operating  effectiveness  of  key  controls  that  are  relevant  to 
audits  of  user  organization  financial  statements.  As  a  result,  this  audit  precludes  the  need 
for  multiple  audits  of  DPAS  controls  previously  performed  by  user  organizations  to  plan 
or  conduct  financial  statement  and  performance  audits.  This  audit  will  also  provide,  in  a 
separate  audit  report,  recommendations  to  management  for  correction  of  identified 
control  deficiencies.  Effective  internal  control  is  critical  to  achieving  reliable 
information  for  all  management  reporting  and  decision  making  purposes. 
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INSPECTOR  GENERAL 

DEPARTMENT  OF  DEFENSE 
400  ARMY  NAVY  DRIVE 
ARLINGTON,  VIRGINIA  22202-4704 


July  7,  2005 

MEMORANDUM  FOR  THE  OFFICE  OF  THE  UNDER  SECRETARY  OF  DEFENSE, 

ACQUISITION,  TECHNOLOGY,  AND  LOGISTICS 
UNDER  SECRETARY  OF  DEFENSE  (COMPTROLLER)/CHIEF 
FINANCIAL  OFFICER 
DEPUTY  CHIEF  FINANCIAL  OFFICER 
DEPUTY  COMPTROLLER  (PROGRAM/BUDGET) 

DIRECTOR,  DEFENSE  FINANCE  AND  ACCOUNTING 
SERVICE 

DIRECTOR,  DEFENSE  INFORMATION  SYSTEMS  AGENCY 
COMMANDING  OFFICER,  NAVAL  SUPPLY  INFORMATION 
SYSTEMS  ACTIVITY 

SUBJECT:  Report  on  the  Defense  Property  Accountability  System  Controls  Placed  in 
Operation  and  Test  of  Operating  Effectiveness  for  the  Period  September  1,  2004 
through  April  30,  2005 

We  have  examined  the  accompanying  description  of  the  general  computer  and  application 
controls  related  to  DPAS  (Section  II)  of  this  report.  The  DPAS  program  is  overseen  and 
managed  by  the  Office  of  the  Under  Secretary  of  Defense,  Acquisition,  Technology  and 
Logistics  and  used  by  329  user  groups  throughout  the  Department  of  Defense  (DoD).  The 
DPAS  system,  including  general  computer  and  application  controls,  is  directly  supported  and 
maintained  by  DFAS,  DISA,  and  NAVSISA.  Our  examination  included  procedures  to  obtain 
reasonable  assurance  about  whether  (1)  the  accompanying  description  presents  fairly,  in  all 
material  respects,  the  aspects  of  the  controls  at  DFAS,  DISA,  and  NAVSISA  that  may  be 
relevant  to  a  DPAS  user  organizations’  internal  controls  as  it  relates  to  an  audit  of  financial 
statements;  (2)  the  controls  included  in  the  description  were  suitably  designed  to  achieve  the 
control  objectives  specified  in  the  description  if  those  controls  were  complied  with 
satisfactorily  and  user  organizations  applied  those  aspects  of  internal  control  contemplated  in 
the  design  of  the  controls  at  DFAS,  DISA,  and  NAVSISA;  and  (3)  such  controls  had  been 
placed  in  operation  as  of  April  30,  2005. 

The  control  objectives  were  specified  by  DoD  DIG  and  accepted  by  DFAS,  DISA  and 
NAVSISA,  Our  examination  was  performed  in  accordance  with  standards  established  by  the 
American  Institute  of  Certified  Public  Accountants  and  the  standards  applicable  to  financial 
audits  contained  in  Government  Auditing  Standards,  issued  by  the  Comptroller  General  of  the 
United  States,  and  included  those  procedures  we  considered  necessary  in  the  circumstances  to 
obtain  a  reasonable  basis  for  rendering  our  opinion. 

DPAS  was  used  by  the  Army,  Navy,  and  Defense  Agencies,  including  the  National  Security 
Agency  (NSA).  The  NSA  had  its  own  separate  version  of  DPAS  since  its  property  information 
was  classified.  In  addition,  the  Navy  used  DPAS  in  a  manner  that  is  different  than  the  way 
DPAS  is  used  by  the  Army  and  Defense  Agencies.  The  accompanying  description  includes 
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includes  only  those  general  computer  and  application  control  objectives  and  related  control 
activities  related  to  the  nonclassified  and  non-Navy  DPAS  versions  of  the  system.  DPAS 
interfaced  with  over  28  DoD  systems  that  either  received  data  from  or  transmitted  data  to 
DPAS.  The  accompanying  description  includes  only  those  general  computer  and  application 
controls  related  to  the  input  and  output  processing  of  these  data  fdes  and  does  not  include 
general  computer  and  application  controls  over  the  source  and  destination  systems  that  send 
data  files  to  or  receive  data  files  from  DPAS.  Finally,  the  accompanying  description  includes 
only  those  application  controls  that  were  centrally  managed  and  maintained  by  DFAS,  DISA, 
and  NAVSISA  and  does  not  include  the  application  controls  resident  at  DPAS  user  locations. 
Therefore,  our  examination  did  not  extend  to  the  general  computer  and  application  controls 
related  to  the  classified  and  Navy  versions  of  DPAS,  the  general  computer  and  application 
controls  over  the  source  and  destination  systems  that  interfaced  with  DPAS,  or  the  application 
controls  resident  at  DPAS  user  locations. 

Our  examination  was  conducted  for  the  purpose  of  fonning  an  opinion  on  the  description  of 
the  DPAS  general  computer  and  application  controls  at  DFAS,  DISA,  and  NAVSISA  (Section 
II  and  the  control  activities  described  in  Section  III  of  this  report).  Infonnation  about  business 
continuity  plans  and  procedures  at  DISA,  as  provided  by  that  organization  and  included  in 
Section  IV,  is  presented  to  provide  additional  information  to  user  organizations  and  is  not  a 
part  of  the  description  of  controls  at  DFAS,  DISA,  and  NAVSISA.  The  information  in  Section 
IV  has  not  been  subjected  to  the  procedures  applied  in  the  examination  of  the  aforementioned 
description  of  the  controls  at  DFAS,  DISA,  and  NAVSISA  related  to  their  business  continuity 
plans  and  procedures.  Accordingly,  we  express  no  opinion  on  the  description  of  the  business 
continuity  plans  and  procedures  provided  by  DISA. 

In  our  opinion,  the  accompanying  description  of  the  general  computer  and  application  controls 
at  DFAS,  DISA,  and  NAVSISA  related  to  DPAS  (Section  II)  presents  fairly,  in  all  material 
respects,  the  relevant  aspects  of  the  controls  at  DFAS,  DISA,  and  NAVSISA  that  had  been 
placed  in  operation  as  of  April  30,  2005.  Also,  in  our  opinion,  the  controls,  as  described,  were 
suitably  designed  to  provide  reasonable  assurance  that  the  specified  control  objectives  would 
be  achieved  if  the  described  controls  were  complied  with  satisfactorily  and  users  applied  those 
aspects  of  internal  control  contemplated  in  the  design  of  the  controls  at  DFAS,  DISA,  and 
NAVSISA. 

In  addition  to  the  procedures  that  we  considered  necessary  to  render  our  opinion  as  expressed 
in  the  previous  paragraph,  we  applied  tests  to  specified  controls,  listed  in  Section  III,  to  obtain 
evidence  about  their  effectiveness  in  meeting  the  related  control  objectives  described  in 
Section  III  during  the  period  from  September  1,  2004,  to  April  30,  2005.  The  specific  control 
objectives,  controls,  and  the  nature,  timing,  extent,  and  results  of  the  tests  are  listed  in  Section 
III.  This  information  has  been  provided  to  DPAS  user  organizations  and  to  their  auditors  to  be 
taken  into  consideration,  along  with  information  about  the  user  organizations’  internal  control 
environments,  when  making  assessments  of  control  risk  for  such  user  organizations. 

A  number  of  controls  in  place  to  ensure  compliance  with  DoD  information  assurance  policies, 
including  DoDI  8500.2  and  DoD  Information  Technology  Security  Certification  and 
Accreditation  Process  (DITSCAP)  appear  to  be  suitably  designed,  but  our  tests  of  operating 
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effectiveness  indicated  inconsistencies  in  adherence  to  these  policies.  In  perfonning  our 
examination,  we  identified  the  following  deficiencies  relating  to  the  operating  effectiveness  of 
controls  in  operation  for  the  period  September  1,  2004,  to  April  30,  2005: 


•  DISA  recorded  the  system  audit  trails  generated  by  DPAS.  However,  DISA  did  not 
proactively  monitor  DPAS  system  audit  trails.  As  a  result,  DPAS’s  controls  did  not 
provide  reasonable  assurance  that  the  following  control  objectives  were  fully  achieved 
during  the  period  from  September  1,  2004  to  April  30,  2005: 

•  “Tools  are  available  for  the  review  of  audit  records  and  for  report  generation  from 
audit  records”  (general  computer  control  objective  34); 

•  “Policies  and  techniques  have  been  implemented  for  using  and  monitoring  the  use 
of  system  utilities”  (general  computer  control  objective  72);  and 

•  “Installation  of  system  software  is  documented  and  reviewed”  (general  computer 
control  objective  74). 

•  DISA  had  documented  standard  operating  procedures  covering  the  DPAS-related 
operations  at  DISA  Ogden.  However,  those  standard  operating  procedures  were  outdated 
and  incomplete.  As  a  result,  DPAS’s  controls  did  not  provide  reasonable  assurance  that 
the  following  control  objectives  were  fully  achieved  during  the  period  from  September  1, 
2004  to  April  30,  2005: 

•  “Policies  and  techniques  have  been  implemented  for  using  and  monitoring  the  use 
of  system  utilities”  (general  computer  control  objective  72)  and 

•  “Formal  procedures  guide  personnel  in  performing  their  duties”  (general  computer 
control  objective  80). 

•  DISA  performed  certain  procedures  to  process  and  monitor  system  transaction  files,  as 
well  as  certain  procedures  to  correct  errors  and  problems  associated  with  transaction  file 
processing.  However,  those  procedures  were  not  documented.  In  addition,  the  majority 
of  the  transaction  processing,  monitoring,  and  error  correction  functions  were  performed 
by  one  individual  at  DISA  who  was  the  only  person  who  had  the  full  technical  knowledge 
of  DPAS  to  perform  all  of  the  functions.  The  unavailability  of  this  person  could  impact 
the  timeliness  and  quality  of  system  transaction  file  processing.  As  a  result,  DPAS’s 
controls  did  not  provide  reasonable  assurance  that  the  following  control  objective  was 
fully  achieved  during  the  period  from  September  1,  2004  to  April  30,  2005:  “Controls 
provide  reasonable  assurance  that  erroneous  transactions  are  identified  without  being 
processed  and  without  undue  disruption  of  the  processing  of  other  valid  transactions,” 
(application  control  objective  11). 

•  DISA  performed  vulnerability  testing  to  identify  DPAS’s  architecture  vulnerabilities. 
However,  DISA  did  not  perform  periodic  network  penetration  testing.  As  a  result, 
DPAS’s  controls  did  not  provide  reasonable  assurance  that  the  following  control  objective 
was  fully  achieved  during  the  period  from  September  1,  2004  to  April  30,  2005: 
“Conformance  testing  that  includes  periodic,  unannounced,  in-depth  monitoring  and 


5 


“Conformance  testing  that  includes  periodic,  unannounced,  in-depth  monitoring  and 
provides  for  specific  penetration  testing  to  ensure  compliance  with  all  vulnerability 
mitigation  procedures  is  planned,  scheduled,  and  conducted,”  (general  computer  control 
objective  48). 

In  our  opinion,  except  for  the  matters  described  in  the  preceding  paragraphs,  the  controls  that 
were  tested,  as  described  in  Section  HI,  were  operating  with  sufficient  effectiveness  to  provide 
reasonable,  but  not  absolute,  assurance  that  the  control  objectives  specified  in  Section  HI  were 
achieved  during  the  period  from  September  1, 2004  to  April  30, 2005.  However,  the  scope  of 
our  engagement  did  not  include  tests  to  determine  whether  control  objectives  not  listed  in 
Section  III  were  achieved;  accordingly,  we  express  no  opinion  on  the  achievement  of  control 
objectives  not  included  in  Section  in. 

The  relative  effectiveness  and  significance  of  specific  controls  at  DFAS,  DISA,  and  NAVSISA 
and  their  effect  on  assessments  of  control  risk  at  user  organizations  are  dependent  on  their 
interaction  with  the  internal  control  environment  and  other  factors  present  at  individual  user 
organizations.  We  have  performed  no  procedures  to  evaluate  the  effectiveness  of  internal 
controls  placed  in  operation  at  individual  user  organizations. 

The  description  of  the  controls  at  DFAS,  DISA,  and  NAVSISA  is  as  of  April  30,  2005,  and 
information  about  tests  of  their  operating  effectiveness  covers  the  period  from  September  I , 
2004  to  April  30, 2005.  Any  projection  of  such  information  to  the  future  is  subject  to  the  risk 
that,  because  of  change,  the  description  may  no  longer  portray  the  system  in  existence.  The 
potential  effectiveness  of  specific  controls  at  DFAS,  DISA,  and  NAVSISA  is  subject  to 
inherent  limitations,  and  accordingly,  errors  or  fraud  may  occur  and  not  be  detected. 
Furthermore,  the  projection  of  any  conclusions,  based  on  our  findings,  to  future  periods  is 
subject  to  the  risk  that  (1)  changes  made  to  the  system  or  controls,  (2)  changes  in  processing 
requirements,  or  (3)  changes  required  because  of  the  passage  of  time  may  alter  the  validity  of 
such  conclusions. 

This  report  is  intended  solely  for  use  by  management  of  DFAS,  DISA,  and  NAVSISA,  the 
DP  AS  user  organizations,  and  the  independent  auditors  of  such  user  organizations. 


By  direction  of  the  Deputy  Inspector  General  for  Auditing: 


Assistant  Inspector  General 
Defense  Financial  Auditing 
Service 
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Section  II:  Description  of  Defense  Property  Accountability  System 
Operations  and  Controls  Provided  by  the  Defense  Finance  and 
Accounting  Service,  the  Defense  Information  Systems  Agency,  and 
the  Naval  Supply  Information  Systems  Activity 
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II.  Description  of  the  Defense  Property  Accountability  System 
Operations  and  Controls  Provided  by  the  Defense  Finance  and 
Accounting  Service,  Defense  Information  Systems  Agency,  and 
Naval  Supply  Information  Systems  Activity 

A.  Overview  of  DPAS 

History 

The  Under  Secretary  of  Defense  (Comptroller)  and  the  Assistant  Secretary  of 
Defense  for  Command,  Control,  Communication  and  Intelligence  designated 
DPAS  as  a  migratory  system  in  Fiscal  Year  1995  to  bring  DoD  real  and  personal 
property  assets  under  proper  accountability  and  financial  control.  At  that  time, 
DoD  real  and  personal  property  were  considered  high-risk  areas  by  the  audit 
community.  DoD  activities  began  migrating  data  to  DPAS  in  1995.  By  2001, 
DPAS  was  nearly  fully  deployed  throughout  DoD.  The  Anny,  Navy,  Marine 
Corps  and  22  Defense  Agencies  adopted  DPAS;  the  Air  Force  did  not.  DPAS  is 
considered  a  legacy  system  that  will  be  replaced  by  2012  as  part  of  Enterprise 
Resource  Plan  initiatives  at  the  Army,  Navy,  Marine  Corps,  and  Defense 
Logistics  Agency.  An  acquisition  strategy  is  currently  being  developed  to 
determine  the  appropriate  modernization  strategy  for  DPAS.  DPAS  is 
administered  by  the  Under  Secretary  of  Defense  (Comptroller)  and  the  Office  of 
the  Under  Secretary  of  Defense,  Acquisition,  Technology  and  Logistics. 


System  Capabilities 


DPAS  provides  financial  reporting  capability  for  capital  assets  (assets  with  a 
value  greater  than  $100,000),  and  asset  accountability  for  more  than  10.6  million 
property  assets  (assets  with  a  value  less  than  $100,000)  valued  at  approximately 
$48.3  billion  as  of  February  2005.  DPAS  provides  standard  general  ledger 
accounting  in  conformance  with  the  USSGL  at  the  transaction  level  and 
subsidiary  reporting  for  capital  assets.  DPAS  tracks  accountability  for  various 
types  of  property,  including  personal  property,  real  property,  and  heritage  assets. 
DPAS  has  security  features  that  provide  asset  visibility  at  many  levels  based  on 
users’  roles  and  needs. 


DPAS  provides  DoD  users  with  full  support  for  property  accountability, 
management,  and  financial  reporting.  Specifically,  it  provides  the  capability  to 
update  item  authorizations,  perform  asset  cataloging  actions,  assign 
accountability,  perform  accountable  record  processing  (such  as  receipts,  turn-in, 
transfers,  and  inventory  tracking  and  status),  account  for  government  furnished 
property,  compute  depreciation,  generate  general  ledger  transactions,  update 
subsidiary  and  general  ledger  records,  report  financial  status,  maintain  an 
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automated  document  register,  and  report  disposals.  DP  AS  also  supports  various 
maintenance  requirements  including  tracking  preventive  maintenance  schedules 
and  actions,  generating  work  orders,  and  tracking  warranty,  loan  and  lease  data. 
DPAS  users  have  the  ability  to  choose  the  DPAS  functionality  they  want  to  use  to 
meet  their  property  accountability  needs.  In  addition  to  standard  reporting 
capabilities,  DPAS  provides  users  with  commercially  developed  ad  hoc  query  and 
report  writing  software.  This  toolset  allows  DPAS  users  to  create  and  save 
custom  queries  and  reports  to  meet  any  special  reporting  requirements  that  the 
standard  DPAS  reports  do  not  support. 


System  Interfaces 

DPAS’s  primary  interface  is  keyboard  input  using  the  Government  off-the-Shelf 
(GOTS)  client/server  software  provided  to  its  users.  The  majority  of  the  inputs 
are  real-time  with  the  updates  being  perfonned  immediately.  In  the  instance  of 
batch  processing,  users  generate  “Batch  Requests”  real-time  which  are  then  stored 
in  a  database  table  for  subsequent  processing  during  the  batch  cycle.  Validation 
of  the  real-time  input  is  performed  by  the  client  software  whenever  possible. 
Should  the  validation  require  cross-validation  with  other  table  data  not  resident 
within  the  window,  the  validation  will  occur  within  the  server  software  prior  to 
processing.  The  GOTS  software  provides  users  update  processes,  ad  hoc  query 
processes  and  standard  reports. 


DPAS  has  one  internal  interface  that  uses  DPAS-developed  software  to  accept 
inventory  data  generated  by  Portable  Data  Collection  Devices  (PDCDs),  also 
referred  to  as  scanners.  Users  export  a  file  from  their  terminal  to  the  PDCD  that 
contains  infonnation  about  inventories  to  be  conducted.  Upon  completion  of 
the  inventories,  the  results  are  exported  from  the  PDCD  back  to  the  user’s 
tenninal.  From  the  user’s  terminal,  the  DPAS  client  software  updates  user 
databases.  Some  PDCDs  may  be  capable  of  communicating  wirelessly.  In 
those  instances,  the  PDCD  is  configured  to  communicate  with  DPAS  client 
software,  which  in  turn  processes  the  updates  on  a  near  real-time  basis. 


With  the  exception  of  the  Unit  Level  Logistics  System  -  Supply  (ULLS-S4), 
which  is  a  PC-based  self-contained  application  that  uses  a  floppy  diskette,  or 
other  similar  media,  all  external  interfaces  use  File  Transfer  Protocol/Secure  File 
Transfer  Protocol  to  communicate  with  DPAS.  DPAS  interfaces  with  26  external 
systems.  All  interfaces  are  documented  with  a  service  level  agreement  that 
contains  contact  information,  data  file  layouts,  file  transmission  procedures,  and 
frequency  of  transmission  information.  With  the  exception  of  ULLS-S4,  Anny 
Material  Command  Installation  Supply  System,  and  Standard  Anny  Retail  Supply 
System,  all  interfaces  are  managed  by  the  DISA  DPAS  operations  support  team. 


In  addition  to  system  interfaces,  there  are  data  flows  between  various  DPAS 
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modules.  To  build  a  property  record,  data  is  initially  entered  using  the  Catalog 
module  with  each  distinct  asset  being  catalogued  with  a  Stock  Number.  The 
Catalog  module  maintains  management  data  pertaining  to  the  asset  with  that  data 
flowing  from  the  Catalog  module  to  the  Authorization  and  Document  Register 
modules.  The  Document  Register  assigns  document  numbers,  updates  status, 
closes  completed  actions,  and  provides  visibility  for  open  and  closed  actions.  The 
Authorization  Module  feeds  data  to  the  Hand  Receipt  module  to  provide  a  link 
between  assets  on-hand  and  the  authorization  to  obtain,  retain  or  turn-in  an  asset. 
The  Hand  Receipt  module  provides  the  capability  to  process  all  actions  that  affect 
asset  balances.  The  Hand  Receipt  module  creates  accounting  transactions  when 
gains  or  losses  for  capital  assets  occur  and  feeds  data  to  the  Accounting 
Module  generating  asset  expense  and  depreciation  data.  The  Hand  Receipt  also 
provides  data  to  the  Maintenance  and  Utilization  module. 


External  interfaces  are  grouped  by  function  as  follows: 

•  Accounting  -  Accounting  information,  including  depreciation  data,  are 
interfaced  from  the  DPAS  database  to  selected  accounting  management 
systems.  The  accounting  interface  is  a  one-way  outbound  interface  that 
provides  capital  asset  general  ledger  and  accounting  information  to  cost 
accounting  systems  such  as  Standard  Industrial  Fund  System,  Defense 
Business  Management  System,  Financial  Accounting  and  Management 
Information  System,  Washington  Headquarters  Services  Allotment 
Accounting  System,  Logistics  Modernization  Program,  and  Electronic 
Business.  These  interfaces  typically  occur  daily  with  data  sent  to  the 
accounting  system  when  there  is  accounting  transaction  activity.  Plans  are 
under  way  to  add  additional  accounting  interfaces  with  the  Defense 
Working  Capital  Accounting  System;  Standard  Accounting  and  Reporting 
System;  Standard  Accounting,  Budget,  and  Reporting  System;  and 
Defense  Corporate  Database. 

•  Authorization  -  The  authorization  interface  is  a  one-way  inbound  interface 
that  supports  Army  DPAS  users  by  providing  equipment  authorization 
requirements  from  the  Logistics  Army  Authorization  Document  System. 
The  Logistics  Army  Authorization  Document  System  data  provides  users 
with  current  and  projected  equipment  requirements.  Users  review  this 
data  to  detennine  whether  there  is  sufficient  equipment  on-hand  to  fulfill 
their  mission,  when  to  submit  requisitions  to  cover  equipment  shortages, 
and  when  to  initiate  turn-in  actions  for  excess  equipment.  The  Logistics 
Support  Activity  within  the  Department  of  the  Army  is  responsible  for 
sending  the  file  containing  Logistics  Army  Authorization  Document 
System  data. 

•  Asset  Visibility  -  Asset  visibility  interfaces  are  one-way  outbound 
interfaces  that  provide  data  extracts  of  asset  information  based  on  the 
needs  of  receiving  systems.  DPAS  has  active  interfaces  with  the  Unique 
Item  Tracking  and  Command  Asset  Visibility  and  Equipment 
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Redistribution  System.  Unique  Item  Tracking  is  used  to  report  Army 
reportable  assets  to  the  Continuing  Balance  System  Expanded  and  to 
report  Small  Anns  to  the  Department  of  Defense  Small  Arms  Serialization 
Program  registry  and  Cryptology  assets  to  the  Controlled  Cryptographic 
Item  registry.  The  Unique  Item  Tracking  interface  typically  occurs  daily 
with  data  being  sent  to  Logistics  Support  Activity  when  there  are  Anny 
reportable  asset  transactions.  The  Command  Asset  Visibility  and 
Equipment  Redistribution  System  interface  occurs  once  a  week.  Both 
interfaces  are  controlled  by  automated  system  scheduling  software. 

•  Catalog  -  Catalog  interfaces  are  all  one-way  inbound  interfaces.  There  are 
active  catalog  interfaces  with  Federal  Logistics  Data,  Supply  Bulletin  700- 
20,  Anny  Master  Data  File,  and  National  Defense  Equipment.  These 
interfaces  provide  DPAS  users  with  current  information  concerning 
National  Stock  Numbers.  This  infonnation  is  used  by  DPAS  users  to 
requisition  materials  and  catalog  assets.  The  interface  frequencies  range 
from  “As  Needed”  (when  updates  occur)  for  the  National  Defense 
Equipment,  to  Semi-Annual  for  the  Supply  Bulletin,  to  monthly  for 
Federal  Logistics  Data  and  the  Army  Master  Data  File.  Defense  Logistics 
Information  Service  is  responsible  for  sending  Federal  Logistics  Data  to 
DPAS  and  the  Logistics  Support  Activity  is  responsible  for  sending  the 
Supply  Bulletin,  Army  Master  Data  File  and  National  Defense  Equipment 
data. 

•  Excess  -  The  excess  interface  is  a  two-way  interface  that  supports  the 
redistribution  of  information  technology  (IT)  assets.  The  interface 
exchanges  asset  disposal  information  with  the  Defense  Reutilization  and 
Marketing  Automated  Infonnation  System.  This  interface  is  used  to 
notify  managers  of  excess  assets.  The  Defense  Reutilization  and 
Marketing  Automated  Infonnation  System  provides  DPAS  with 
information  about  sites  that  accept  excess  assets  and  with  information 
concerning  schools  that  have  been  approved  to  participate  in  the 
Computers  for  Learning  program. 

•  Hand  Receipt  -  The  hand  receipt  interface  is  a  one-way  outbound  interface 
that  supports  feeding  asset  infonnation  to  the  ULLS-S4  system.  The 
interface  is  used  to  provide  DPAS  ULLS-S4  users  (typically  active  Army 
or  National  Guard  units  that  are  stationed  at  an  Anny  post,  camp,  or 
station)  information  concerning  assets  acquired  by  their  activity.  The  data 
from  DPAS  is  merged  with  the  activity’s  own  asset  data  within  ULLS-S4 
to  provide  users  with  a  complete  picture  of  assets  for  which  they  are 
responsible.  The  DPAS  user  executes  this  interface  in  near  real-time 
when  there  is  a  need. 

•  Maintenance  -  The  maintenance  interface  is  a  one-way  outbound  interface 
that  supports  feeding  asset  infonnation  to  external  maintenance  systems. 
DPAS  has  an  active  maintenance  interface  with  the  Facility  Equipment 
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Management  System.  The  interface  is  used  to  provide  maintenance 
systems  with  new  equipment  receipts,  equipment  turn-ins,  and  changes  in 
the  status  of  existing  equipment  such  as  serial  numbers,  bar  codes, 
locations,  and  accumulated  depreciation.  The  interface  provides  the 
maintenance  system  with  approximately  40  attributes  on  each  piece  of 
equipment  identified  for  maintenance  and  utilization  tracking.  This 
interface  occurs  daily  when  there  is  activity  and  is  controlled  by 
automated  system  scheduling  software. 

•  Real  Property  -  The  real  property  interface  is  a  two-way  interface.  DP  AS 
has  active  real  property  interfaces  with  the  Integrated  Facilities  System 
and  the  Planning  Resource  Infrastructure  Decision  Evaluation  System. 

The  interfaces  are  used  to  accept  real  property  information  in  DP  AS. 
During  posting,  accounting  transactions  are  generated  for  transmission  to 
accounting  systems.  When  capital  improvements  are  input  directly  into 
DPAS,  DPAS  generates  transactions  back  to  the  real  property  systems  to 
advise  them  of  the  improvement.  During  the  DPAS  depreciation  cycle, 
DPAS  transmits  Accumulated  Depreciation  records  to  real  property 
systems  to  update  the  book  value  of  each  asset.  This  interface  typically 
occurs  daily  when  there  is  activity  and  is  controlled  by  automated  system 
scheduling  software.  The  real  property  systems  are  responsible  for 
initiating  the  transmission  and  receipt  of  data. 

•  Receipts  -  The  receipts  interface  is  a  two-way  interface.  DPAS  has  an 
active  receipts  interface  with  the  Base  Operations  Support  System.  The 
interface  is  used  to  accept  information  concerning  personal  property  assets 
posted  to  users’  accounts.  Records  that  reject  or  are  not  accepted  are  sent 
back  to  the  sending  system  to  advise  them  that  the  record  was  not 
accepted.  This  interface  typically  occurs  daily  when  there  is  activity  and 
is  controlled  by  automated  system  scheduling  software.  Receiving 
systems  are  responsible  for  initiating  the  transmission  and  receipt  of  data. 

•  Supply  -  Supply  interfaces  are  two-way  interfaces  that  provide  users  with 
the  ability  to  perfonn  requisitioning  actions  using  DPAS  processes.  For 
the  Army  Material  Command  Installation  Supply  System  and  the  Standard 
Anny  Retail  Supply  System  interfaces,  these  requisitions  are  transmitted 
electronically  to  the  Supply  Support  Activity.  The  Supply  Support 
Activity  issues  the  material  from  local  stock,  or  forwards  the  request  to  the 
wholesale  level  for  issuance  or  to  the  contracting  system  for  local 
purchase.  In  the  case  of  the  Defense  Automatic  Addressing  System 
interface,  requisitioning  is  limited  to  National  Stock  Numbers.  These 
requisitions  are  transmitted  directly  to  the  Defense  Automatic  Addressing 
System,  which  in  turn  retransmits  them  to  the  correct  Inventory  Control 
Point  for  issuance.  All  of  the  supply  systems  send  requisition  status 
information  back  to  DPAS  and  DPAS  updates  the  users’  requisitions 
electronically.  With  the  exception  of  the  Defense  Automatic  Addressing 
System  interface,  which  is  controlled  by  automated  system  scheduling 
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software,  these  interfaces  typically  occur  daily  and  are  initiated  by  the 
user. 


Figure  1  below  provides  a  graphical  representation  of  the  DPAS  data  flow. 


Figure  1 : 


DPAS  Data  Flow 


Maintenance  &  Utilization  Data  Maintenance  &  Utilization  Data 


System  Architecture 


DPAS  operates  in  a  client-server  environment.  This  environment 
provides  the  application  support,  operations,  backup,  and  recovery  for 
the  DPAS  mission.  The  client  environment  is  comprised  of  multiple 
sites  employing  workstations  with  connectivity  to  the  server 
environment.  Client  connectivity  is  provided  by  the  server  site  based  on 
authenticated  users  with  valid  internet  protocol  addresses.  DPAS 
system  servers  support  all  DoD  agency  databases  using  the  DPAS 
application  for  property  accountability.  The  server  environment  consists 
of  the  application  software,  operating  system,  database,  and  hardware. 

The  DPAS  database  is  a  relational  collection  of  data  associated  with  property 
accountability  and  equipment  management.  There  are  329  relational  databases 
supporting  a  worldwide  geographical  dispersion  of  multiple  agencies  and 
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commands.  DP  AS  database  files  reside  on  magnetic  disk.  Magnetic  tapes  are 
used  for  off-line  backups  of  the  databases.  The  storage  requirement  for  each 
customer  database  is  based  primarily  on  the  number  of  items  on  the  customer's 
property  book.  The  minimum  storage  requirement  for  the  DPAS  common 
database  is  1.3  Gigabytes.  This  supports  up  to  15,000  property  book  items.  Each 
additional  15,000  property  book  items  increases  the  storage  requirement  by  20 
Megabytes.  The  database  pennits  asset  authorization,  cataloging,  accountable 
record  processing,  financial  processing,  equipment  maintenance,  and  equipment 
utilization.  The  DPAS  Common  database  is  comprised  of  several  individual 
customer  databases  and  one  DPAS  Excess  database.  The  physical  structure  of  the 
DPAS  database  is  such  that  access  to  individual  databases  and  the  Excess 
database  by  the  application  software  is  DPAS  platform-transparent  (the 
application  software  is  not  dependent  on  the  physical  location  of  databases  as 
configured  across  DPAS  platfonns).  Individual  site  DPAS  databases  are  resident 
on  the  DPAS  production  servers  located  at  DISA  Dayton.  The  minimum  storage 
requirement  for  the  DPAS  Excess  database  is  also  40  Megabytes.  In  the  event  of 
data  loss  or  corruption,  the  entire  DPAS  database  can  be  restored  from  daily  tape 
backups. 

The  hardware  platforms  for  the  DPAS  application  are  Hewlett  Packard  (HP) 
L2000,  HP  K570,  HPI70,  HPK220,  and  HPK400  servers.  The  operating  system 
is  a  HP-UX  Release  1 1  Operating  System  with  multi-user  licensing  for  concurrent 
users.  Development  software  includes  Micro  Focus  Version  4.0  COBOL  with 
database  environment  of  Cincom  SUPRA  2.9.X  Relational  Database  Management 
System  (UNIX/Client  Server  version)  and  Micro  Focus  Application-to- 
Application.  Servers  are  remotely  managed  by  system  administrators  in  the  DISA 
Ogden  System  Management  Center  (SMC)  located  at  Hill  Air  Force  Base,  Ogden, 
UT. 

Security  against  unauthorized  access  to  the  DPAS  database  is  controlled  at 
several  levels.  End-user  access  is  controlled  by  the  operating  system  and  Remote 
Defense  Business  Management  System  software,  as  well  as  by  DPAS  application 
software.  Database  support  and  maintenance  operations  can  be  done  only  by 
those  individuals  designated  as  database  administrators  or  system  administrators. 

B.  Control  Environment 

Management  Oversight 

DPAS  is  a  centrally  funded  and  managed  program.  The  Program  Manager  for 
DPAS  reports  to  the  Deputy  Director,  Acquisition  Resources  and  Analysis, 
Property  and  Equipment  Policy  Office,  which  reports  to  the  OUSD(C)  and  the 
OUSD,  AT&L.  The  DPAS  Program  Management  Office  is  located  at  DFAS, 
Columbus,  Ohio,  which  provides  direct  operational  oversight  for  the  program  and 
supports  all  customer  service  requirements  (including  data  conversions, 
centralized  help  desk  support,  training,  quality  assurance,  site  support,  e-leaming, 
and  website  services).  DFAS  coordinates  with  DISA  SMC  Ogden  to  provide 
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program  IT  infrastructure  support.  Additionally,  DFAS  and  DISA  Ogden  SMC 
work  closely  with  NAVSISA  for  all  DP  AS  software  development,  maintenance, 
and  testing.  Finally,  these  entities  work  closely  with  the  DPAS  Configuration 
Control  Board  (CCB),  made  up  of  headquarters  level  property  managers 
representing  the  user  community,  to  review  the  application’s  functionality, 
propose  changes,  and  provide  recommendations  as  needed.  The  CCB  meetings 
also  provide  DoD  property  managers  with  a  forum  to  learn  from  each  other  and 
share  solutions  to  common  problems.  Figure  2  below  provides  a  graphical 
representation  of  the  DPAS  oversight  and  support  structure. 

Figure  2: 


DPAS  Organization 


Personnel  Policies  and  Procedures 

Hiring  practices  at  each  of  the  service  organizations  are  in  accordance  with  DoD 
Instruction  8500.2,  “Information  Assurance  (IA)  Implementation,”  February  6, 
2003,  availability  control,  “I A  Documentation,”  which  requires  that  all 
appointments  to  required  IA  roles  are  established  in  writing,  including  assigned 
duties  and  appointment  criteria  such  as  training,  security  clearance  and  IT- 
designation.  DPAS  management,  support  employees,  and  contractors  at  DFAS, 
DISA,  and  NAVSISA  are  required  to  review  applicable  administrative  orders, 
policies,  and  procedures  with  the  Human  Resource  Office  and  must  complete 
appropriate  forms  to  gain  access  to  the  DPAS  System.  New  employees  meet  with 
the  Information  Systems  Security  Manager  to  understand  their  roles  and 
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responsibilities.  The  Information  Systems  Security  Manager  is  responsible  for: 
(1)  providing  basic  systems  security  awareness  training  (2)  securing  civilian  and 
contractor  signatures  on  Automated  Data  Processing  Security  Awareness 
disclosure  forms,  (3)  identifying  to  the  employee  who  their  Terminal  Area 
Security  Officer  (TASO)  is  and  what  the  TASO’s  responsibilities  are,  and 
(4)  notifying  appropriate  personnel  to  provide  access  to  DPAS  when  an  employee 
or  contractor  is  hired  or  terminated. 

The  mission  assurance  category  (MAC)  of  an  information  system  reflects  the 
importance  of  infonnation  relative  to  the  achievement  of  DoD  goals  and 
objectives,  particularly  the  war  fighter  combat  mission.  MACs  are  the  basis  for 
determining  availability  and  integrity  control  requirements.  In  accordance  with 
DoD  Directive  8500.1  and  DoD  Instruction  8500.2,  the  MAC  for  DPAS  has  been 
determined  to  be  MAC  III.  MAC  III  is  defined  as  a  system  that,  “. .  .handles 
information  necessary  to  conduct  day-to-day  business,  but  does  not  materially 
affect  support  to  deployed  or  contingency  forces  in  the  short-term.”  MAC  III 
applications  require  protective  measures,  techniques,  or  procedures  generally 
commensurate  with  commercial  best  practices.  The  confidentiality  level  of  the 
system  has  been  established  as  Sensitive.  The  DPAS  System  Security 
Authorization  Agreement  (SSAA)  addresses  the  requirements  for  background 
checks,  gaining  access  to  the  application,  and  segregation  of  duties  for  support 
personnel  and  the  user  community.  This  includes  controlling  access  to  DPAS  by 
using  identification  and  authentication  mechanisms  such  as  User  IDs  and 
passwords,  and  using  discretionary  access,  auditing,  and  object  reuse  controls. 
DPAS  operates  with  the  following  objectives: 

a.  DPAS  information  shall  be  handled  as  sensitive  but  unclassified. 

b.  Adequate  measures  shall  be  in  effect  to  ensure  that  data  is  being 
transferred  securely  across  communication  channels. 

c.  All  access  through  firewalls  will  be  authenticated. 

d.  Identification  and  Authentication  will  be  accomplished  within  DPAS  by 
using  unique  user  logins  and  passwords. 

e.  Discretionary  Access  Controls  will  be  implemented  within  databases. 

User  Accounts  are  managed  by  the  System  Administrator  located  at  the  DISA 
Ogden  SMC  and  by  Site  Security  Officers.  Personnel  requesting  access  to  DPAS 
are  required  to  submit  a  System  Authorization  Access  Request  (SAAR),  DD 
Form  2875,  including  the  status  of  the  user's  background  check  and  clearance 
level  to  the  DISA  Ogden  Security  Office  prior  to  being  granted  access. 
Completion  of  the  fonn  requires  the  user  to  accept  the  User  Agreement  to  comply 
with  DISA  and  DoD  security  policies  and  the  responsibility  for  safeguarding 
information  contained  in  the  system.  Within  their  capabilities,  each  user  shall 
protect  information  and  automated  information  systems  resources  against 
sabotage,  tampering,  denial  of  service,  espionage,  fraud,  misappropriation, 
misuse,  or  release  to  unauthorized  persons.  Users  shall  report  all  such 
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occurrences  to  their  TASO  or  Infonnation  Assurance  Officer  (IAO)  immediately. 


DPAS  developers  and  maintainers  at  DFAS,  DISA,  and  NAVSISA,  as  well  as  the 
end  users,  are  required  to  have  favorable  personnel  background  investigations. 
The  level  of  investigation  depends  on  the  sensitivity  level  of  the  automated  data 
processing  (ADP)  position  assigned  to  each  individual  in  accordance  with  the 
DoD  5200. 2-R,  “Personnel  Security  Program  Regulation,”  issued  January  1987, 
and  the  DoD  5220.22-M,  “National  Industrial  Security  Program  Operating 
Manual,”  issued  January  1995. 

Individuals  in  positions  designated  ADP-I  require  a  Single  Scope  Background 
Investigation.  Examples  of  positions  that  are  designated  ADP-I  are  Designated 
Approving  Authorities  (DAA),  Program  Managers,  System  Managers, 
Information  System  Security  Managers,  and  Network  Security  Managers.  All 
local  area  network  administrators  who  have  the  ability  to  assign  user-IDs  and 
passwords  or  the  capability  to  grant  access  to  sensitive  fdes  will  also  occupy 
ADP-I  positions.  The  Director  of  DFAS  may  assign  ADP-I  sensitivity  levels  to 
other  unique  positions. 

Individuals  in  positions  designated  ADP-II  and  ADP-III  require  a  National 
Agency  Check  Plus  Written  Inquiries,  or  an  equivalent  level  of  investigation. 
Persons  assigned  ADP-II  designations  do  not  make  executive  decisions  regarding 
management  of  IT  systems,  hardware,  or  software,  and  are  subordinate  to  ADP-I 
positions.  These  positions  include  IAOs,  TASOs,  application  and  systems 
programmers,  operators,  customer  service  personnel,  schedulers,  tape  librarians, 
and  secretaries.  All  other  positions  involved  in  DPAS  activities  should  be 
assigned  ADP-III  except  for  contractor  positions  that  require  a  National  Agency 
Check  investigation  only. 

Training 

Personnel  at  DFAS,  DISA,  and  NAVSISA  are  required  to  complete  continuing 
education.  Training  objectives  for  continuing  education  are  captured  in  the 
Individual  Development  Plans  by  each  individual  and  their  supervisor. 


DPAS  training  is  obtained  by  service  organization  personnel  through  the  DPAS 
Security  Awareness  Guide,  DPAS  Operational  Support  Team  Troubleshooting 
Guide,  and  Knowledge  Management  system.  The  DISA  Online  Training  System 
provides  training-related  technical  services  used  in  the  DPAS  application. 

Support  personnel  at  DFAS,  DISA,  and  NAVSISA  are  required  to  receive  annual 
security  awareness  training  through  their  respective  agency  or  service.  Each 
agency  or  service  is  required  to  follow  the  DoDI  8500.2  guidelines  in  providing 
security  awareness  training.  In  addition,  DPAS  application-specific  security 
training  covers  roles  and  responsibilities  for  the  DPAS  end  user.  Documentation 
of  training  is  recorded  in  an  attendance  roster  and  a  certificate  of  completion  is 
provided  to  each  user.  Training  is  monitored  for  content  and  kept  up-to-date  by 
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agency  or  service  security  and  training  coordinators.  Training  for  the  user 
community  is  offered  by  DFAS  but  is  not  required. 


Security  training  focuses  on  those  processes  that  ensure  only  authorized  users 
gain  access  to  the  application  and  specific  programs.  DPAS  IAO’s  and  Technical 
Points  of  Contact  are  provided  training  for  proper  access  control  and  setting  up 
user  profiles  at  the  DPAS  program  and  user  levels.  This  training  is  provided  in 
conjunction  with  the  standard  courses  for  DPAS  Basic  and  Basic  Plus. 

The  DPAS  User  Training  Manual  addresses  administrative  issues  such  as  granting 
security  access,  assigning  multiple  accountable  UICs  to  users,  modifying  the 
DPAS  program,  and  user  access.  In  addition,  DPAS  users  receive  the  DPAS 
Security  Awareness  Guide  that  explains  security  awareness  and  appropriate 
measures  to  safeguard  the  system.  The  guide  is  provided  to  users  when  new 
accounts  are  set  up,  during  training,  and  annually. 

C.  Monitoring 

Management  and  supervisory  personnel  at  DFAS,  DISA,  and  NAVSISA  monitor 
the  performance  quality  and  internal  control  environment  as  a  nonnal  part  of  their 
activities.  DFAS,  DISA,  and  NAVSISA  implemented  a  number  of  management, 
quality  assurance,  and  operational  reports  that  help  monitor  the  performance  of 
DPAS  processing  as  well  as  the  DPAS  system  itself.  These  reports  are  reviewed 
by  DFAS,  DISA,  and  NAVSISA.  Corrective  action  is  taken  as  necessary.  DPAS 
processing  problems  and  exceptions  to  nonnal  or  scheduled  processing  through 
hardware  or  software  are  logged,  reported,  and  resolved. 

DISA  Field  Security  Operations 

DPAS  is  subject  to  a  System  Readiness  Review  (SRR)  process  that  consists  of 
running  automated  SRR  scripts  and  manual  checks  to  compare  DPAS  system 
security  settings  to  recommended  security  settings  documented  in  the  DISA 
Security  Technical  Implementation  Guides  (STIGs).  These  SRRs  include  only 
the  software  portion  of  the  STIG.  The  SRR  process  is  perfonned  on  the  DPAS 
operating  system,  the  database  management  system,  and  web  services.  DISA 
system  administrators  are  responsible  for  executing  and  tracking  the  SRR 
processes  on  a  weekly  basis.  Findings  noted  during  the  SRR  processes  are 
monitored  at  DISA,  Montgomery,  AL.  The  DISA  Field  Security  Operations 
(FSO)  perfonns  SRRs  of  systems  supported  by  DISA  to  determine  whether  those 
systems  are  in  compliance  with  relevant  STIGs.  The  SRR  performed  by  the  FSO 
is  a  full  STIG  compliance  review  that  typically  occurs  annually.  The  DPAS 
system  components  that  are  maintained  by  DISA  are  subject  to  FSO  reviews.  The 
FSO  is  independent  of  the  DISA  Ogden  management  structure  and  does  not 
maintain  or  configure  DPAS  systems. 

Findings  noted  during  the  FSO  SRR  process  are  categorized  according  to  severity 
and  tracked  in  the  Vulnerability  Management  System  (VMS)  database.  VMS  is 
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an  online  web  based  database  with  access  protected  by  user  IDs  and  user  security 
profiles.  System  Administrators,  IAOs  or  Information  Assurance  Managers 
(IAM)  have  the  responsibility  to  close  findings  in  the  database  as  they  are 
mitigated  in  the  systems.  A  member  of  the  FSO  staff  must  validate  finding 
resolutions.  The  FSO  also  performs  random  validation  checks  of  resolved 
findings  to  ensure  that  corrective  actions  are  actually  taking  place.  Some  findings 
can  be  exempt  from  resolution  if  technical  or  business  needs  require  a 
noncompliant  setting.  Exceptions  are  usually  for  a  limited  time  and  must  be 
approved  by  the  IAM  prior  to  final  approval  by  the  DAA. 

The  Information  Assurance  Vulnerability  Alert  tracking  system  in  the  VMS 
database  generates  management  reports  that  are  checked  daily  by  the  IAM  to 
monitor  Information  Assurance  Vulnerability  Alert  compliance.  Results  of  SA, 
IAO,  and  IAM  mitigation  and  closure  efforts  are  provided  to  the  DAA. 

DITSCAP  Certification  and  Accreditation 

DoD  Directive  5200.40,  DITSCAP,  issued  December  30,  1997,  and 
DoD  8510.1-M,  “DITSCAP  Application  Manual,”  issued  July  31,  2000, 
established  the  DITSCAP  as  the  standard  DoD  certification  and  accreditation 
process.  Certification  is  the  comprehensive  evaluation  of  the  technical  and  non¬ 
technical  security  features  of  an  infonnation  system  and  other  safeguards  made  in 
support  of  the  accreditation  process  to  establish  the  extent  to  which  a  particular 
design  and  implementation  adheres  to  specified  security  requirements. 
Accreditation  is  the  formal  declaration  by  a  DAA  that  an  information  system  is 
approved  to  operate  in  a  particular  security  mode  using  a  prescribed  set  of 
safeguards  at  an  acceptable  level  of  risk.  DITSCAP  establishes  a  standard 
process,  set  of  activities,  general  tasks,  and  a  management  structure  to  certify  and 
accredit  an  information  system  that  will  maintain  the  IA  and  security  posture  of 
the  Defense  Information  Infrastructure.  This  process  supports  an  infrastructure- 
centric  approach  with  a  focus  on  the  mission,  environment,  and  architecture. 

DPAS  must  comply  with  all  of  the  DITSCAP  certification  and  accreditation 
requirements  throughout  its  life  cycle  and  document  the  requirements  in  the 
SSAA.  The  SSAA  is  a  formal  agreement  with  the  DAA(s),  the  Certifier,  user 
representative,  and  program  manager  employed  to  guide  actions,  document 
decisions,  specify  IA  requirements,  document  certification  tailoring  and  level-of- 
effort,  identify  potential  solutions,  and  maintain  operational  systems  security. 
SSAAs  were  prepared  for  the  DPAS  application  and  the  supporting  operating 
environment. 

Trouble  Management  System  Function 

DPAS  system  problems  are  usually  identified  by  a  DPAS  user  or  by  a  monitoring 
process  executed  at  the  support  organization.  The  problem  is  logged  into  the 
Trouble  Management  System  maintained  by  NAVSISA.  A  trouble  ticket  number 
is  assigned  in  the  log  and  a  technician  to  return  the  system  to  a  fully  operational 
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state  is  identified  and  recorded  on  the  ticket.  The  Trouble  Management  System  is 
monitored  by  NAVSISA  to  ensure  tickets  are  closed  timely,  and  by  the  Software 
Director  to  ensure  their  knowledge  of  the  operational  state  of  the  system.  The 
Trouble  Management  System  ticket  is  monitored  to  ensure  the  completion  of  the 
proposed  corrective  action,  as  well  as  actions  taken  to  return  the  system  to  full 
operational  capability. 

Data  Evaluation  and  Quality  Assurance  Function 

The  DFAS  Data  Evaluation  and  Quality  Assurance  function  provides  recurring 
and  special  reports,  data  extracts,  data  analysis,  and  recommendations  to  improve 
DPAS  data  integrity  and  program  efficiency.  These  reports  are  generated  on  a 
monthly  basis,  captured  electronically  onto  compact  discs,  and  distributed  to  CCB 
representatives.  The  Quality  Assurance  branch  monitors  data  quality  to  measure 
improvement  over  time  in  the  areas  of  asset  management,  accountability,  and 
financial  reporting  accuracy. 

Department  of  Defense,  Office  of  Inspector  General 

The  DoD  OIG  was  established  by  Congress  to  conduct  and  supervise  audits  and 
investigations  related  to  DoD  programs  and  operations.  The  DoD  OIG  reports 
directly  to  the  Secretary  of  Defense  and  is  independent  of  DFAS  and  DISA. 
DPAS,  as  well  as  the  property  accountability  processes  it  supports,  is  part  of  the 
DoD  OIG  audit  universe  and  is  subject  to  financial,  operational,  and  IT  audits, 
reviews,  and  special  assessment  projects. 


Office  of  the  Inspector  General,  Defense  Information  Systems  Agency 

DISA  has  its  own  Office  of  the  Inspector  General,  which  is  an  independent  office 
within  DISA  that  conducts  internal  audits,  inspections,  and  investigations.  The 
DISA-related  components  that  support  DPAS  are  part  of  the  DISA  Office  of  the 
Inspector  General  audit  universe  and  are  subject  to  audits,  inspections,  and 
investigations  conducted  by  the  DISA  OIG. 

D.  Risk  Assessment 

Threats,  vulnerabilities,  and  risks  associated  with  DPAS  operations  are 
documented  in  the  application  and  enclave  SSAAs  with  personnel  from  DFAS, 
DISA,  and  NAVSISA  participating  in  the  risk  assessments.  Among  the  tools 
utilized  for  conducting  risk  assessments  are  a  comprehensive  evaluation  of  the 
MAC  Controls  referenced  in  DoD  Instruction  8500.2  and  applicable  Phase  II,  III, 
and  IV  tasks  documented  in  DoD  85 10. 1-M.  The  MAC  controls  address  the  areas 
of  Security  Design  and  Configuration,  Identification  and  Authentication,  Enclave 
and  Computing  Environment,  Enclave  Boundary  Defense,  Physical  and 
Environmental,  Personnel,  Continuity  and  Vulnerability,  and  Incident 
Management.  The  procedures  outlined  in  DoD  85 10. 1-M  cover  risk  in  the 
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following  major  areas:  System  Architecture  Analysis,  Software,  Hardware, 
Firmware  Design  Analysis,  Network  Connection  Rule  Compliance  Analysis, 
Life-cycle  Management  Analysis,  Vulnerability  Assessment,  Security  Testing  and 
Evaluation,  Penetration  Testing,  System  Management  Analysis,  and  Contingency 
Plan  Evaluation.  The  SSAA  describes  Residual  Risk  Assessments  and  documents 
vulnerabilities  noted  during  DPAS  tests  and  analyses.  The  SSAA  also  documents 
risk  mitigation  strategies  designed  to  protect  infonnation  commensurate  with  the 
level  of  risk  and  magnitude  of  harm  resulting  from  loss,  misuse,  unauthorized 
access,  or  modification.  The  SRR  processes  described  in  the  Monitoring  section 
also  provide  management  a  means  to  assess  and  track  potential  security  risks 
associated  with  the  DPAS  technical  infrastructure. 

E.  Information  and  Communication 

Users  can  submit  a  change  request  to  the  DPAS  CCB,  which  makes  the  final 
determination  on  the  implementation  of  changes  to  the  system.  There  is  a 
documented  system  request  process  that  considers  emerging  information  needs  of 
the  user  community. 

On  an  annual  basis,  each  support  organization  independently  develops  a  DPAS 
program  strategy  that  is  summarized  in  a  support  agreement  known  as  a  Service- 
Level  Proposal  or  Service-Level  Agreement.  The  strategies  are  based  on  user 
needs  expressed  through  their  CCB  member,  technology  changes,  challenges 
discussed  during  DPAS  program  reviews,  changes  in  policies  and  procedures 
from  the  Comptroller  and  logistics  communities,  and  budgetary  realities  input 
from  the  respective  support  organizations. 

There  are  three  DPAS  support  agreements  in  place  that  are  reviewed  and  updated 
annually.  These  Service-Level  Agreements  detail  the  roles  and  responsibilities  of 
the  various  entities  involved  in  providing  support  to  DPAS. 

1.  OUSD,  AT&L,  Arlington,  VA,  and  the  Department  of  the  Navy,  NAVSISA, 
Mechanicsburg,  PA. 

As  detailed  in  the  Service-Level  Agreement,  NAVSISA  provides  OUSD, 
AT&L  the  following  services: 


a.  Software  Development  Services 

b.  Software  Maintenance  and  Operating  Support 

c.  Management  Reporting 

d.  Other  Support  (Provides  briefings  to  DPAS  user  groups  and  user 
conferences  as  requested  by  the  customer.  Provides  software  and 
scanner  web-site  content  as  required  by  the  DPAS  Web-Site  Review 
Board.  Updates  DPAS  trainer  personnel  on  software  changes  as 
required.  Provides  technical  support  to  various  DPAS  support 
initiatives  such  as  e-leaming,  security  documentation,  web-site,  and 


22 


classroom  training.) 

2.  DISA  and  the  OUSD,  AT&L. 

As  detailed  in  the  Service-Level  Agreement,  DISA  provides  OUSD,  AT&L 
the  following  services: 

a.  Server  Processing 

b.  Telecommunications  Services 

c.  Support  Services,  including  technical  and  operational  support  for  the 
DPAS  application,  Security,  System  Administration,  Network 
Communications,  Database  Management,  Operations,  Customer 
Technical  Liaison,  and  the  Web  Server 

d.  Full  Cost  Recovery  Services,  including  processing  cycles,  input  and 
output  transfers,  memory  utilization,  storage  of  and  access  to  data 
maintained  on  direct  access  storage  devices,  and  network  connectivity 

3.  Director,  Property  and  Equipment  Policy,  OUSD,  AT&L,  Arlington,  VA,  and 
the  Defense  Finance  Accounting  Service  Technology  Services  Organization, 
DPAS  Program  Management  Support  Division. 

As  detailed  in  the  Service-Level  Agreement,  DFAS  Columbus  provides 
OUSD,  AT&L  the  following  services: 

a.  Administration 

b.  Program  planning 

c.  Program  management  support 

d.  Customer  support  that  includes  implementations,  data  assurance 
customer  assistance,  call  center,  help  desk,  web-site  development  and 
administration 

e.  Customer  training 

f.  Oversight  of  the  software  development  and  maintenance  service 
provided  by  NAVSISA,  and 

g.  Oversight  of  systems  infrastructure  support  operational  services  and 
data  processing  services  provided  by  DISA 


Ongoing  written  communication  between  DPAS  support  community 
organizations  and  staff  helps  to  ensure  that  program  objectives  and  important 
information  are  clearly  shared.  Support  organizations  also  meet  to  discuss 
program  issues  and  project  objectives  including  perfonnance,  areas  of  concern, 
accomplishments,  anticipated  workload  changes,  and  project  status  reports. 
NAVSISA  provides  weekly  status  reports  on  deliverables  and  services  via  update 
of  the  Configuration  Management  Tracking  System  (CMTS).  In-Process 
Reviews  are  conducted  on  project  status  and  open  management  issues.  CCB 
meetings  are  held  biannually  to  communicate  issues  including  new  DPAS 
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releases  to  the  user  community.  The  DPAS  support  entities  participate  with  the 
CCB  in  meetings,  briefings,  or  site  visits  to  discuss  processing  and  program 
issues. 

The  DPAS  Help  Desk  provides  customer  support  from  6  a.m.  until  6  p.m.  and  an 
on-call  service  for  all  other  times.  The  Help  Desk  mission  is  to  provide  customers 
a  single  place  to  call  for  their  support  needs.  Help  Desk  agents  are  responsible  for 
tracking  and  responding  to  customer  requests  including  those  that  come  in 
through  the  DPAS  web  site,  email,  or  the  Call  Center.  The  agents  track  issues 
that  require  system  changes  through  the  Program  Trouble  Report  (PTR)  process 
until  they  are  resolved. 

The  DPAS  program  provides  a  public  website  that  contains  information  on  the 
DPAS  program  mission  and  goals,  software,  support,  training,  and  guidance. 

The  support  areas  include  customer,  technical,  security,  training,  and  management 
support,  as  well  as  quality  assurance. 

F.  Control  Activities 

The  DPAS  control  objectives  and  related  control  activities  are  included  in  Section 
III  of  this  report,  “Information  Provided  by  the  Service  Auditor,”  to  eliminate  the 
redundancy  that  would  result  from  listing  them  in  this  section  and  repeating  them 
in  Section  III.  Although  the  control  objectives  and  related  controls  are  included  in 
Section  III,  they  are,  nevertheless,  an  integral  part  of  management’s  description  of 
controls. 

G.  User  Control  Considerations 

DPAS  was  designed  with  the  assumption  that  certain  controls  would  be 
implemented  by  DPAS  user  organizations.  This  section  describes  additional 
controls  that  should  be  in  operation  at  DPAS  user  organizations  to  complement 
the  controls  maintained  by  DFAS,  DISA,  and  NAVSISA.  User  auditors  should 
consider  whether  the  following  controls  have  been  placed  in  operation  at  user 
organizations: 


Authorization  Controls 


•  Property  in  transit  in  which  the  government  has  taken  title  is  recorded 
by  the  Property  Custodian  and  has  been  approved  by  the  Property 
Book  Officer  (PBO). 
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•  Recorded  additions  and  changes  to  the  asset  register  and  master  file 
made  by  the  Property  Custodian  are  compared  to  source  documents 
authorized  by  the  PBO  to  ensure  that  they  were  input  accurately. 

•  Assets  are  periodically  inventoried  by  the  Hand  Receipt  Holder  and 
then  the  PBO  to  ensure  that  hand  receipts  match  assets  recorded  in  the 
asset  register.  Reconciling  items  are  identified  and  addressed  by  the 
Hand  Receipt  Holder  in  a  timely  manner. 

•  Authorized  users  of  DPAS  and  their  specific  access  needs  are 
approved  by  the  PBO  and  the  Information  Systems  Security  Officer, 
and  directly  communicated  in  writing  by  the  resource  owner  to  DISA- 
Ogden. 

•  Personnel  responsible  for  asset  acquisition,  disposal,  recording,  and 
maintenance  have  responsibility  for  only  one  such  function  and  do  not 
have  system  access  to  other  than  their  assigned  function. 

•  The  Information  Systems  Security  Officer  has  configured  system 
security  so  that  only  authorized  users  have  the  ability  to  enter,  modify, 
or  otherwise  alter  property  records. 

Completeness  Controls 

•  The  PBO  and  user’s  accounting  function  periodically  review  the  asset 
register  and  master  file  data  for  accuracy,  ongoing  pertinence,  and 
reconciliation  to  the  corresponding  general  ledger  accounts. 
Reconciling  items  are  addressed  by  the  PBO  in  a  timely  manner. 

•  The  Property  Custodian  accurately  records  the  values  and  physical 
units  of  beginning  balances,  acquisitions,  and  property  held  for 
disposal  and  retirement  in  DPAS. 

•  Requests  to  change  the  asset  register  and  master  file  data  are  logged 
and  reviewed  by  the  PBO  to  ensure  that  all  requested  changes  are 
processed  timely. 

•  Asset-related  transactions  before  or  after  the  end  of  an  accounting 
period  are  scrutinized  and  reconciled  by  the  user’s  accounting  function 
to  ensure  complete  and  consistent  recording  of  transactions  in  the 
appropriate  accounting  period. 

•  Asset  and  accumulated  depreciation  balances  are  carried  forward  from 
one  processing  cycle  to  the  next  by  the  user’s  accounting  function, 
using  independently  obtained  asset  acquisition,  asset  disposal,  and 
depreciation  expense  data. 
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•  Depreciation  charges  are  reviewed  by  the  PBO  and  the  user’s 
accounting  function  to  determine  whether  the  charges  are  accurate, 
complete,  and  recorded  in  the  appropriate  period. 

•  The  PBO  identifies  DoD  property  accountability  policies, 
communicates  those  policies  to  property  personnel,  and  updates 
standard  operating  procedures  to  reflect  policy  changes. 

Accuracy  Controls 

•  The  Property  Custodian  accurately  records  the  method  and  costs  of 
acquiring  each  property  item  or  bulk  property  item. 

•  Depreciation  exception  items  are  consistently  identified,  monitored, 
and  corrected  by  the  PBO  and  the  user’s  accounting  function. 

Control  Over  The  Integrity  of  Processing  and  Data  Files 


•  The  Property  Custodian  accurately  records  property  in-transit 
information  to  establish  and  maintain  accountability  and  control  over 
property. 

•  Processing  out-of-balance  reports  are  reviewed  promptly  by  the  PBO 
and  the  user’s  accounting  function  and  followed  up  by  the  PBO  to 
determine  the  cause  of  the  out-of-balance  condition. 

•  The  PBO  periodically  reviews  error  reports  that  list  rejected 
transactions  and  corrects  them  within  a  reasonable  time. 

•  All  changes  to  the  asset  register  and  master  file  are  approved  by  the 
PBO. 

•  The  PBO  reviews  audit  trails  of  changes  to  property  records  including 
a  transaction-based  history  of  property  activity,  modifications, 
improvements,  changes  in  value,  and  the  data  entry  and  approval. 

•  Interfaced  inputs  are  transmitted  in  batch  files,  and  batch  control  totals 
are  used  to  balance  sent  transactions  to  received  transactions.  Out-of¬ 
balance  conditions  are  reported,  corrected,  and  reentered. 

The  list  of  user-organization  control  considerations  presented  above  does  not 
represent  a  comprehensive  set  of  all  the  controls  that  should  be  employed  by  user 
organizations.  Other  controls  may  be  required  at  user  organizations. 
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III.  Control  Objectives,  Control  Activities,  and  Tests  of 
Operating  Effectiveness 

A.  Scope  Limitations 

The  control  objectives  documented  in  this  section  were  specified  by  the  DoD  OIG.  The 
control  activities  described  in  this  section  were  specified  by  DISA,  DFAS,  and 
NAVSISA  management.  As  described  in  the  prior  section  (Section  II),  DPAS  interfaces 
with  many  systems.  The  controls  described  and  tests  of  these  controls  in  this  section  of 
the  report  were  limited  to  those  computer  systems,  operations,  and  processes  directly 
related  to  DPAS  itself.  The  controls  related  to  DPAS  source  and  destination  systems 
interfaces  were  specifically  excluded  from  this  review.  We  did  not  perform  procedures  to 
evaluate  the  effectiveness  of  the  input,  processing,  and  output  controls  within  interfacing 
systems;  although  we  did  perfonn  procedures  to  evaluate  DPAS  interface  input  and 
output  controls.  We  did  not  perform  any  procedures  to  evaluate  the  integrity  and 
accuracy  of  the  data  contained  in  DPAS. 
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B.  Control  Objectives,  Control  Activities,  and  Tests  of  Operating  Effectiveness 


CO 

No. 

Control  Objective 

Control  Activity 

Test  Procedure 

Results  of  Testing 

Enterprise-Wide  Security  Program  Planning 

1 

Risks  are  periodically 
assessed. 

DISA-Oeden,  DFAS- 
Columbus 

Risk  assessments  are 
performed  as  part  of  the 
DITSCAP  compliance 
process.  Automated 
System  Readiness 

Reports  (SRR)  scripts 
are  run  on  each  server 
and  reported  to  the 
Montgomery  SRR 
database  on  a  weekly 
basis.  Each  system  has 
an  SRR  and  an  Internet 
Security  Systems  (ISS) 
scan  performed  before  it 
is  connected  to  the 
network.  The  DISA  FSO 
runs  periodic  SRRs  and 
ISS  scans.  SRR  findings 
are  documented  and 
tracked  in  the  VMS. 

DFAS-Columbus 

Read  the  latest  Risk  Assessment 
performed  with  the  SSAA  and 
confirmed  with  the  Branch  Chief, 
Quality  Assurance  Division  that 
risks  were  periodically  assessed. 

Read  the  annual  IA  assessment  and 
confirmed  with  the  ISSO  that 
existing  policies  and  processes  were 
assessed  annually. 

DISA-Oeden 

Observed  the  SRR  process  to 
confirm  that  it  occurred  and  that 
corrective  actions  were  tracked. 

Selected  a  haphazard  sample  of 

SRRs  performed  by  DISA-Ogden 
and  inspected  the  VMS  reports  to 
confirm  findings  identified  by  the 
SRR  process  had  been  addressed. 

The  DITSCAP  Phase  II 
and  Phase  III  Summary 
Analysis  Reports  for 
each  task  were  not 
documented  and 
included  in  the  SSAA. 
However,  a  checklist  was 
completed  for  each  Phase 
II  and  Phase  III  task  and 
a  Risk  Assessment  and 
an  IA  assessment  were 
performed.  The  intent  of 
the  objective  was 
achieved. 
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CO  Control  Objective  Control  Activity  Test  Procedure  Results  of  Testing 

No. 


2 

A  security  plan  is 
documented  and 
approved. 

DFAS-Columbus 

The  DPAS  security  plan 
is  documented, 
maintained,  approved, 
and  periodically 
updated. 

DFAS-Columbus 

Read  the  DPAS  SSAA  to  confirm  it 
had  been  documented,  updated  and 
appropriately  approved. 

Read  the  annual  IA  assessment  to 
confirm  that  existing  policies  and 
processes  were  assessed  annually. 

No  relevant  exceptions 
noted. 

3 

The  security  plan  is  kept 
current. 

DFAS-Columbus 

The  DPAS  security  plan 
is  documented, 
maintained,  approved, 
and  periodically 
updated. 

DFAS-Columbus 

Read  the  DPAS  SSAA  to  confirm  it 
had  been  documented,  updated  and 
appropriately  approved. 

Read  the  DPAS  Systems  Security 
Policy,  Security  Requirements,  and 
Certification  Test  and  Evaluation 
Plan  and  Procedures  to  confirm 
that  each  had  been  updated. 

Read  the  annual  IA  assessment  to 
confirm  that  existing  policies  and 
processes  were  assessed  annually. 

No  relevant  exceptions 
noted. 

4 

A  security  management 
structure  has  been 
established. 

DISA-Osden 

An  IAM  and  Alternate 
IAM  have  been  assigned. 

DISA-Oeden 

Confirmed  through  inquiry  that  a 
management  structure  had  been 

The  security 
management  structure 
contained  position  titles 
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CO  Control  Objective 
No. 


Control  Activity 


Test  Procedure 


Results  of  Testing 


There  are  Information 
Assurance  Officers 
(IAOs)  for  each  type  of 
operating  system  and 
TASOs  assigned  to  each 
area. 

established. 

Read  the  DISA-Ogden 
organizational  chart  and  job 
descriptions  to  confirm  that  all 
positions  were  established  in 
writing. 

Read  the  SSAA  for  the  security 
management  structure.  Confirmed 
each  position  was  outlined  in  the 
SSAA. 

that  were  not  in 
accordance  with  DOD 
8500.2  requirements. 
However,  we  confirmed 
through  interviews  and 
inspection  of  the 
organizational  chart  and 
job  descriptions  that  a 
security  management 
structure  was  in  place. 

The  intent  of  the 
objective  was  achieved. 

5 

Information  security 
responsibilities  are 
clearly  assigned. 

DISA-Oeden 

An  IAM  and  Alternate 
IAM  have  been  assigned. 
There  are  IAOs  for  each 
type  of  operating  system 
and  TASOs  assigned  to 
each  area. 

DISA-Oeden 

Read  the  SSAA  for  the  security 
management  responsibilities. 
Confirmed  each  position  outlined  in 
the  SSAA  was  filled  and  the  person 
understood  their  duty. 

Read  the  DISA-Ogden 
organizational  chart  and  job 
descriptions  to  confirm  that  all 
positions  were  established  in 
writing. 

No  relevant  exceptions 
noted. 

6 

A  set  of  rules  that 

DISA-Oeden 

DISA-Oeden 

No  relevant  exceptions 
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CO 

No. 

Control  Objective 

Control  Activity 

Test  Procedure 

Results  of  Testing 

describe  the  IA 
operations  of  the  DoD 
information  system  and 
clearly  delineate  IA 
responsibilities  and 
expected  behavior  of  all 
personnel  is  in  place. 

The  DPAS  SSAA 
describes  IA 
responsibilities  and 
expected  behavior  of 
personnel. 

Obtained  the  DISA-Ogden  SSAA 
and  job  descriptions.  Confirmed 
that  the  SSAA  and  job  descriptions 
clearly  delineated  responsibilities 
and  expected  behavior. 

Read  the  DISA-Ogden 
organizational  chart  and  job 
descriptions  to  confirm  that  all 
positions  were  established  in 
writing. 

noted. 

7 

Owners  and  users  are 
aware  of  security 
policies. 

DISA-Oeden 

Each  new  employee  and 
contactor  is  provided 
with  a  security  briefing. 
They  must  also  sign  that 
they  have  received  this 
briefing.  This  briefing  is 
provided  annually  to 
employees  and 
contractors. 

DISA-Oeden 

Read  the  Security  Awareness 
Training  provided  by  DISA-Ogden. 
Selected  a  haphazard  sample  of 
employees  and  read  their  training 
files  to  confirm  the  completion  of 
the  necessary  security  training  and 
a  signoff. 

Inspected  the  training  sign-in  sheets 
to  confirm  that  DISA-Ogden 
employees  had  attended  annual 
training. 

The  DPAS  Program 
Manager,  DISA-  Ogden, 
did  not  attend  the  2004 
annual  training. 

However,  the  DPAS 
Program  Manager  did 
not  have  system  access  to 
DPAS.  As  such,  the 

DPAS  Program 

Manager’s  lack  of 
training  presents 
minimal  risk  to  DPAS. 

8 

An  incident  response 
capability  has  been 

DISA-Oeden 

An  incident  response 

DISA-Oeden 

Confirmed  through  inspection  that 

No  relevant  exceptions 
noted. 
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CO  Control  Objective  Control  Activity  Test  Procedure  Results  of  Testing 

No. 


implemented. 

plan  has  been  established 
and  documented  in  the 
DISA-Ogden  SSAA. 

the  incident  plan  detailed  in  the 
SSAA  had  been  implemented. 
Selected  a  haphazard  sample  of 
incidents  to  confirm  that  the 
incident  response  plan  was  being 
followed. 

9 

Hiring,  transfer, 
termination,  and 
performance  policies 
address  security. 

DISA-Osden 

For  security  purposes,  all 
newly  hired  personnel 
are  required  to  have: 

1.  Completed  National 
Agency  Check 
personal  security 
investigations  for  all 
functional  users 
(civilian,  military, 
and  contractors),  as  a 
minimum. 

2.  Registration  of  all 
users  by  Defense 
Enterprise 

Computing  Center 
(DECC)  System 
Administrators,  IAO, 
or  the  specific  data 
owners. 

3.  Specified  system 

DISA-Osden 

Read  the  hiring,  transfer, 
termination  and  performance 
policies  of  DISA-Ogden  to  confirm 
they  were  documented. 

Inspected  a  haphazard  sample  of 
System  Access  Authorization 

Request  (SAAR)  Form  2875  to 
confirm  that  each  Form  2875 
detailed  the  user’s  justification  for 
access,  security  clearance  level,  and 
that  each  Form  2875  was  properly 
approved. 

Confirmed  through  inquiry  that  a 
debrief  is  conducted  when  an 
employee  is  terminated  and  that  a 
DISA  Form  70  is  used  to  note  the 
collection  of  DISA  property. 

The  DPAS  Program 
Manager,  DISA-  Ogden, 
did  not  attend  the  2004 
annual  training. 

However,  the  DPAS 
Program  Manager  did 
not  have  system  access  to 
DPAS.  As  such,  the 

DPAS  Program 

Manager’s  lack  of 
training  presents 
minimal  risk  to  DPAS. 
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No. 

Control  Objective 

Control  Activity 

Test  Procedure 

Results  of  Testing 

and/or  application 
permissions  that  only 
allow  access  to 
required,  ‘need  to 
know’  information. 

4.  Unique  User 
Identification  (ID) 
and  password  for  all 

users. 

5.  Specific  DECC 
system  training. 

6.  Initial  and  refresher 
Information  Security 
training. 

7.  DISA  Form  2875  for 
all  DECC  system 

users. 

Confirmed  through  observation 
that  an  email  is  sent  to  the  Security 
Administrator  to  request  that 
system  access  be  removed  for  a 
terminated  employee. 

Selected  a  sample  of  all  DPAS 
related  employees  located  at  DISA- 
Ogden  and  inspected  the  annual 
security  sign-in  sheets  to  confirm 
that  each  employee  had  completed 
the  training. 

For  transfer  and 
termination  of  personnel, 
the  following  is  required: 

1.  Debriefing  is 
conducted. 

2.  Reminder  of  the  non¬ 
disclosure  agreement. 

3.  DISA  form  70 
checklist  is  used  to 
ensure  collection  of 
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Control  Activity 
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DISA  property. 

4.  Signed  DISA 
termination 

statement. 

5.  Email  is  sent  to 

System 

Administrators  to 
remove  all  system 

access. 

10 

Employees  have 
adequate  training  and 
expertise. 

DISA-Oeden 

Employees  are  required 
to  complete  periodic 
training  for  their 
respective  job  functions. 

DISA-Oeden 

Confirmed  through  inquiry  that 
employees  had  adequate  training 
and  expertise. 

Read  System  Administrator 
training  materials  to  confirm  that 
they  provided  each  System 
Administrator  with  adequate 
training  and  expertise. 

The  System 
Administrator-specific 
training  was  outdated 
and  did  not  provide  a 
means  to  verify  whether 
a  user  had  successfully 
completed  the  training 
materials.  However,  we 
confirmed  through 
inspection  of  annual 
security  training 
attendance  sheets  that 
DISA-Ogden  employees 
attended  annual  security 
training.  The  intent  of 
the  objective  was 
achieved. 
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No. 


11 

A  program  is 
implemented  to  confirm 
that  upon  arrival  and 
periodically  thereafter, 
all  personnel  receive 
training  and 
familiarization  to 
perform  their  assigned 

IA  responsibilities. 

DISA-Oeden 

Each  new  employee  and 
contactor  is  provided 
with  a  security  briefing. 
They  must  also  sign  that 
they  have  received  this 
briefing.  This  briefing  is 
provided  annually  to 
employees  and 
contractors. 

DISA-Oeden 

Read  the  Security  Awareness 
Training  provided  by  DISA-Ogden. 

Selected  a  haphazard  sample  of 
employees  and  read  their  training 
files  to  confirm  the  completion  of 
the  necessary  security  training  and 
a  signoff. 

The  DPAS  Program 
Manager,  DISA-  Ogden, 
did  not  attend  the  2004 
annual  training. 

However,  the  DPAS 
Program  Manager  did 
not  have  system  access  to 
DPAS.  The  DPAS 
Program  Manager’s  lack 
of  training  presents 
minimal  risk  to  DPAS. 

12 

Management 
periodically  assesses  the 
appropriateness  of 
security  policies  and 
compliance  with  them. 

DISA-Oeden,  DFAS- 
Columbus 

An  IA  review  is 
conducted  by  the 

Security  Officer  that 
comprehensively 
evaluates  existing 
policies  and  processes  to 
ensure  procedural 
consistency  and  to  ensure 
that  they  fully  support 
the  goal  of  uninterrupted 
operations. 

DISA-Oeden 

Interviewed  the  Security  Officer  to 
obtain  an  understanding  of  how 
DISA-Ogden  management  assessed 
the  appropriateness  of  the  security 
policies  and  compliance  with  them. 

Read  the  DPAS  Security 
Requirements  and  Information 
Systems  Security  Policy 

Certification  Test  and  Evaluation 
Procedures  to  confirm  that  an 
annual  IA  review  was  conducted 
and  that  comprehensive 
vulnerability  management  was  in 
place. 

The  DPAS  SSAA  was 
approved  by  the  DAA,  on 
October  9,  2003 
providing  DPAS  with  an 
ATO;  however,  we 
determined  that  the 

SSAA  was  not  in  total 
compliance  with 
DITSCAP.  Since  the 

ATO,  We  noted  that 
sections  of  the  DPAS 

SSAA  had  been  updated 
in  accordance  to  DoDI 
8500.2  DCAR-1; 
however,  all  required 
DITSCAP  Phase  II  and 
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DFAS-Columbus 

Read  the  annual  IA  assessment  to 
confirm  that  existing  policies  and 
processes  were  assessed  annually. 

Read  the  DPAS  SSAA  to  confirm 
that  the  latest  risk  assessment  was 
conducted  in  2003. 

III  analysis  had  not  been 
properly  performed  and 
documented.  We  noted, 
however,  that  a  checklist 
had  been  documented  for 
each  Phase  II  and  Phase 
III  task. 

13 

Management  ensures 
that  corrective  actions 
are  effectively 
implemented. 

DISA-Oeden 

Corrective  actions  are 
tested  after  they  have 
been  implemented  and 
monitored  on  a 
continuing  basis. 

DISA-Oeden 

Interviewed  management  personnel 
to  gain  an  understanding  of  how 
operating  system  patches,  updates 
and  changes  were  implemented. 

Observed  the  SRR  process  to 
confirm  that  corrective  actions  were 
implemented  for  identified  SRR 
findings. 

Selected  a  haphazard  sample  of 

SRRs  and  inspected  the  VMS 
reports  to  confirm  findings 
identified  by  the  SRR  process  had 

No  relevant  exceptions 
noted. 
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been  addressed. 

14 

A  comprehensive 
vulnerability 
management  process 
that  includes  the 
systematic  identification 
and  mitigation  of 
software  and  hardware 
vulnerabilities  is  in 
place. 

DISA-Oeden 

Software  and  hardware 
vulnerabilities  are 
independently  validated 
through  inspection  and 
automated  vulnerability 
assessment  or  state 
management  tools.  VMS 
and  Information 
Assurance  Vulnerability 
Alert  are  utilized  to 
track  and  maintain 
system  vulnerability 
status. 

DISA-Oeden 

Read  the  vulnerability  management 
policy  to  confirm  that  the  process 
included  systematic  identification 
and  migration  of  software  and 
hardware  vulnerabilities  had  been 
documented  and  resolved. 

No  relevant  exceptions 
noted. 

15 

Changes  to  the  DoD 
information  system  are 
assessed  for  IA  and 
accreditation  impact 
prior  to  implementation. 

DISA-Oeden 

SRR  scripts  are  run  on 
each  server  and 
reported  to  the 
Montgomery  SRR 
database  on  a  weekly 
basis.  Each  system  has 
an  SRR  and  an  ISS  scan 
performed  before  it  is 
connected  to  the 
network.  The  DISA  FSO 
runs  periodic  SRRs  and 
ISS  scans.  All  system 

DISA-Oeden 

Observed  the  SRR  process  to 
confirm  that  it  occurred  and  that 
corrective  actions  were  tracked. 

Observed  the  system  software 
change  control  process  for  DISA- 
Ogden  and  confirmed  that  changes 
were  properly  approved  before 
implementation. 

Inspected  a  sample  of  system 
changes  and  confirmed  that 

No  relevant  exceptions 
noted. 
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software  changes  must 
be  reviewed  and 
approved  prior  to 
implementation. 

changed  were  only  implemented 
after  proper  approval  or  not 
implemented  if  not  approved. 

16 

A  DoD  reference 
document  constitutes  the 
primary  source  for 
security  configuration  or 
implementation  guidance 
for  the  deployment  of 
newly  acquired  IA-  and 
IA-enabled  IT  products. 

DISA-Osden 

The  DISA  UNIX  STIG, 
and  DISA  Instruction 
Information  Systems 
Security  Program  630- 
230-19  are  the  primary 
documents  used  to  frame 
the  internal  security 
requirements  of  the 

DPAS  application. 

DISA-Oeden 

Read  the  DoD  Directives  8500.01, 
8500.02,  8510.1-M,  the  DISA 
Database  STIG,  DISA  UNIX  STIG, 
and  DISA  Instruction  Information 
Systems  Security  Program  630-230- 
19  to  confirm  that  they  constituted 
the  primary  source  configuration  or 
implementation  guidance  for  the 
deployment  of  newly  acquired  IA- 
and  IA-enabled  products. 

No  relevant  exceptions 
noted. 

Access  Controls 

17 

Resource  classifications 
and  related  criteria  have 
been  established. 

DFAS-Columbus 

The  MAC  Level  has  been 
assigned  and  periodically 
reviewed. 

DFAS-Columbus 

Read  the  DPAS  SSAA  and 
confirmed  that  a  MAC  level  had 
been  assigned  to  DPAS  and 
reviewed. 

No  relevant  exceptions 
noted. 

18 

Owners  have  classified 

resources. 

DFAS-Columbus 

The  MAC  Level  has  been 
assigned  and  periodically 
reviewed. 

DFAS-Columbus 

Read  the  DPAS  SSAA  and 
confirmed  that  a  MAC  level  had 
been  assigned  to  DPAS  and 
reviewed. 

No  relevant  exceptions 
noted. 
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19 

Resource  owners  have 
identified  authorized 
users  and  their  level  of 

access. 

DFAS-Columbus 

User  access  roles  within 
DPAS  are  defined 
according  to  job 
description,  Modules 
Accessed,  Access 

Privilege,  Required 
Module,  Module 
Sensitivity,  and  Position 
Sensitivity. 

DFAS-Columbus 

Observed  documentation  that 
defined  user  roles  and 
responsibilities. 

Observed  the  application  to  confirm 
that  users  required  a  valid  Login 
and  Password  to  gain  access  to  the 
system. 

Observed  that  a  user  account  was 
assigned  a  Security  Profile  that 
restricted  access  by  module, 
program,  Unit  Identification  Code 
(UIC),  and  Hand  Receipt. 

No  relevant  exceptions 
noted. 

20 

Emergency  and 
temporary  access 
authorization  is 
controlled. 

DISA-Osden 

Emergency  and 
temporary  access 
authorizations  are 
documented  on  standard 
forms  and  maintained  on 
file,  approved  by 
appropriate  managers, 
securely  communicated 
to  the  security  function, 
and  automatically 
terminated  after  a 

DISA-Oeden 

Read  the  emergency  and  temporary 
access  policy.  Selected  a  sample  of 
emergency  and  temporary  access 
and  confirmed  that: 

•  The  authorization  was 
approved  and  that  access 
was  closed  in  a  timely 
manner. 

•  The  emergency  and 
temporary  access  list  was 
periodically  reviewed. 

No  relevant  exceptions 
noted. 

42 


CO  Control  Objective 
No. 


Control  Activity 


Test  Procedure 


Results  of  Testing 


predetermined  period. 

•  Temporary  access 
authorizations  were 
established  for  least 
privileged  need-to-know 
access. 

21 

Owners  determine 
disposition  and  sharing 
of  data. 

DISA-Davton 

The  “Disposition  of 
Unclassified  DoD 
Computer  Hard  Drives” 
policy  is  followed  for  the 
disposal  of  equipment 
containing  sensitive 
information  and 
software. 

DFAS-Columbus 

Security  Profiles  in 

DPAS  limit  the  DPAS 
Modules  that  can  be 
accessed  by  a  user  and 
the  functionality 
provided  within  those 
DPAS  Modules. 

DISA-Davton 

Obtained  and  read  the  “Disposition 
of  Unclassified  DoD  Computer 

Hard  Drives”  policy  used  by  DISA- 
Dayton.  Conducted  inquiry  of 

DPAS  Database  Administrator  and 
confirmed  that  the  policy  was  being 
used. 

Observed  the  destroyed  hard  drives 
located  at  DISA-Dayton. 

DFAS-Columbus 

Observed  that  each  user  account 
was  assigned  a  Security  Profile  that 
restricted  access  by  module, 
program,  UIC,  and  Hand  Receipt. 

No  relevant  exceptions 
noted. 

22 

Adequate  physical 
security  controls  have 
been  implemented. 

DISA-Osden,  DISA- 
Davton 

Physical  and  logical 
access  controls  are  in 

DISA-Oeden 

Observed  the  physical  safeguards  in 
place  for  DISA  Ogden  to  confirm 
safeguards  had  been  established  to 

No  relevant  exceptions 
noted. 
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place  to  restrict 
employees  to  authorized 
actions  based  on 
organizational  and 
individual  job 
responsibilities. 

Every  physical  access 
point  that  displays 
sensitive  information  or 
unclassified  information 
that  has  not  been  cleared 
for  release  is  controlled 
during  business  hours 
and  guarded  or  locked 
during  non-business 
hours.  Current  signed 
procedures  exist  for 
controlling  visitor  access. 


Test  Procedure 


Results  of  Testing 


mitigate  the  risk  of  physical  damage 
or  access. 

Observed  that  facility  penetration 
testing  processes  were  in  place  that 
included  periodic,  unannounced 
attempts  to  penetrate  key 
computing  facilities  and  that  every 
physical  access  point  that  displayed 
sensitive  information  or  unclassified 
information  that  had  not  been 
cleared  for  release  was  controlled 
during  business  hours  and  guarded 
or  locked  during  non-business 
hours. 

DISA-Dayton 

Confirmed  through  observation 
that  physical  safeguards  had  been 
established  at  DISA-Dayton  to 
mitigate  the  risk  of  physical  damage 
or  access. 


Observed  that  facility  penetration 
testing  processes  were  in  place  that 
included  periodic,  unannounced 
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attempts  to  penetrate  key 
computing  facilities  and  that  every 
physical  access  point  that  displayed 
sensitive  information  or  unclassified 
information  that  had  not  been 
cleared  for  release  was  controlled 
during  business  hours  and  guarded 
or  locked  during  non-business 
hours. 

23 

Physical  safeguards  have 
been  established  that  are 
commensurate  with  the 
risks  of  physical  damage 

or  access. 

DISA-Davton 

All  packages  entering 
into  DISA-Dayton  are 
inspected  by  entry 
control  for  possible 
bombs.  Panic  buttons 
notify  Security  in  the 
case  of  an  emergency. 

The  notified  Security 
Forces  immediately 
notify  all  posts  and 
patrols  and  furnish  them 
with  all  available 
information.  Security 
forces  seal  off  the 
immediate  area  of 
DECC-Dayton,  or 
installation 

DISA-Davton 

Confirmed  through  inspection  of 
penetration  exercise  documentation 
that  facility  penetration  testing 
processes  were  in  place  that 
included  periodic,  unannounced 
attempts  to  penetrate  key 
computing  facilities  and  that  every 
physical  access  point  that  displayed 
sensitive  information  or  unclassified 
information  that  had  not  been 
cleared  for  release  was  controlled 
during  business  hours  and  guarded 
or  locked  during  non-business 
hours. 

Observed  that  the  DPAS  data 

No  relevant  exceptions 
noted. 
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entry  exit  points  may  be 
blocked. 

Fire  suppression  and 
prevention  devices  are 
installed  in  the  DP  AS 
data  center. 

Visitors  must  sign-in 
with  the  DISA-Dayton 
Security  Attendant  prior 
to  entry  into  the  DISA- 
Dayton  facility. 

center  was  protected  by  fire 
suppression  and  the  prevention 
devices  were  installed  and  working. 
Observed  that  there  was  a  UPS  and 
that  the  cooling  system  was 
periodically  maintained. 

Confirmed  through  observation 
that  DISA  Dayton  contained  a 
master  power  switch  to  stop  power 
to  IT  equipment  was  in  place  and 
was  located  at  the  data  center 
entrances  and  was  clearly  labeled. 

24 

Visitors  are  controlled. 

DISA-Osden,  DISA- 
Davton 

Entry  control  is  manned 
during  normal  business 
hours,  0700-1600, 

Monday  -  Friday.  The 
entry  control  personnel 
manage  and  maintain  the 
entry  point,  check 
badges,  and  issue  visitor 

DISA-Osden 

Read  the  visitor  policy  and 
procedure  for  DISA-Ogden  to 
confirm  they  were  documented. 
Observed  the  visitor  check  in  and 
check  out  process  for  DISA-Ogden. 

Confirmed  through  inquiry  and 
observation  that  visitor  access  to 

DoD  information  was  determined 

No  relevant  exceptions 
noted. 
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badges. 

by  both 

its  classification  and  user  need-to- 
know. 

DISA-Davton 

Confirmed  through  inquiry  that  all 
visitors  were  controlled. 

Read  the  DOD  OI 125-5  to  confirm 
that  the  instruction  detailed  the 
procedures  for  obtaining  access  and 
detailed  the  security  procedures  for 
access  to  controlled  areas. 

Read  the  Department  of  the  Air 
Force’s  penetration  memorandum 
to  confirm  that  a  penetration 
exercise  was  preformed  by  the  SFS 
on  the  DISA-Dayton  facility. 

25 

Adequate  logical  access 
controls  have  been 
implemented  at  the 
application  layer. 

DISA-Osden 

A  SAAR  form  is 
required  to  be  completed 
and  authorized  before  a 
user  is  issued  access  to 
the  application  layer  of 
the  system. 

DISA-Oeden 

Inspected  a  haphazard  sample  of 
SAAR  Form  2875  to  confirm  that 
each  Form  2875  detailed  the  user’s 
justification  for  access,  security 
clearance  level,  and  that  each  Form 
2875  was  properly  approved. 

We  noted  that  4  out  of  45 
users  tested  did  not  have 
a  System  Access 
Authorization  Request 
form  on  file. 

According  to  DISA- 
Ogden  personnel,  the 
missing  forms  resulted 
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CO  Control  Objective 
No. 


Control  Activity 


DFAS-Columbus 
Security  Profiles  in 
DPAS  limit  the  DPAS 
Modules  that  can  be 
accessed  by  a  user  and 
the  functionality 
provided  within  those 
DPAS  Modules. 


Test  Procedure 


Results  of  Testing 


DFAS-Columbus  from  the  transfer  of 

Observed  that  each  user  account  responsibility  for  the 
was  assigned  a  Security  Profile  that  forms  from  DISA- 
restricted  access  by  module,  Dayton  to  DISA-Ogden. 

program,  UIC,  and  Hand  Receipt.  DISA-Ogden  believed 

they  were  lost  during  the 
physical  transfer  of  the 
forms  from  DISA- 
Dayton  to  DISA-Ogden. 
The  DISA-Ogden 
Contract  Technical 
Requirement  Analyst 
indicated  to  us  that  these 
four  users  were 
authorized  to  have  access 
to  the  system  based  on 
daily  interaction 
processing  authorization 
requests.  Confirmed 
through  inquiry  of  the  IT 
Specialist,  User  Creation 
Division,  and  observed  a 
sample  of  user  access 
forms  to  that  DPAS  user 
accounts  and  necessary 
documentation  was  on 
file. 
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26 

Passwords,  tokens,  or 
other  devices  are  used  to 
identify  and  authenticate 
users. 

DISA-Osden,  DFAS- 
Columbus 

Passwords  are  used  to 
identify  and  authenticate 

DISA-Oeden 

Confirmed  through  inquiry  that 
passwords  were  used  to 
authenticate  users. 

No  relevant  exceptions 
noted. 

users  when  accessing  the 
DPAS  application. 

Read  the  Security  Account  Creation 
Guide  at  DISA-Ogden  to  confirm 
that  authentication  devices  were  in 
compliance  with  DoD  standards. 

DFAS-Columbus 

Observed  the  DPAS  application  to 
confirm  that  users  needed  a  valid 
User  ID  and  Password  to  gain 
access  to  the  system. 

Observed  that  accounts  became 
locked  after  three  failed  login 
attempts. 

27 

Access  paths  are 
identified  as  part  of  a 
risk  analysis  and 
documented  in  an  access 
path  diagram. 

DISA-  Oklahoma  City 
(OKC) 

Access  control  lists 
(ACL)  have  been 
implemented  for 
interconnections  among 
DoD  information 
systems.  The  ACLs  are 
controlled  by  DISA- 

DISA-OKC 

Confirmed  through  inquiry  that 
ACLs,  user  management  controls, 
firewalls,  intrusion  detection 
systems  (IDS),  and  authentications 
were  all  used  to  control  network 

access. 

Observed  the  existence  of  the  ACLs 

No  relevant  exceptions 
noted. 
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OKC. 

at  DISA-Dayton  by  having  a 
network  administrator  display  the 
listing  on  his  desktop. 

Obtained  and  read  the  network 
diagrams  for  DISA-Ogden  and 
DISA-Dayton  to  confirm  that  access 
paths  were  documented  and 
monitored  by  IDSs. 

28 

Access  is  restricted  to 
data  files  and  software 
programs. 

DISA-Oeden,  DISA- 
Dayton 

Access  to  data  files  and 
software  programs  is 
limited  to  authorized 
personnel  on  a  “need-to- 
know”  basis. 

DISA-Oeden,  DISA-Dayton 

For  the  DPAS  servers,  confirmed 
through  inquiry  and  inspection  of 
root  access  users  that  access 
restrictions  had  been  established 
around  the  data  files  and  software 
programs. 

Inspected  the  access  logs  and 
corroborated  with  management 
that  the  access  logs  were  reviewed 
for  inappropriate  access  and  that 
system  libraries  were  managed  and 
maintained  to  protect  privileged 
programs. 

No  relevant  exceptions 
noted. 

29 

Access  settings  have  been 
implemented  in 

DISA-Oeden,  DFAS- 
Columbus 

DISA-Oeden 

Inspected  a  haphazard  sample  of 

We  noted  that  4  out  of  45 
users  tested  did  not  have 
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No. 


accordance  with  the 
access  authorizations 
established  by  the 
resource  owners. 


Access  to  data  files  and 
software  programs  is 
limited  to  authorized 
personnel  on  a  “need-to- 
know”  basis. 


SAAR  Form  2875  to  confirm  that 
each  Form  2875  detailed  the  user’s 
justification  for  access,  security 
clearance  level,  and  that  each  Form 
2875  was  properly  approved. 


DFAS-Columbus 
Observed  the  DPAS  system  to 
confirm  that  each  user  account  was 
assigned  a  Security  Profile  that 
restricted  access  by  module, 
program,  UIC,  and  Hand  Receipt. 


a  System  Access 
Authorization  Request 
form  on  file. 

According  to  DISA- 
Ogden  personnel,  the 
missing  forms  resulted 
from  the  transfer  of 
responsibility  for  the 
forms  from  DISA- 
Dayton  to  DISA-Ogden. 
DISA-Ogden  believed 
they  were  lost  during  the 
physical  transfer  of  the 
forms  from  DISA- 
Dayton  to  DISA-Ogden. 
The  DISA-Ogden 
Contract  Technical 
Requirement  Analyst 
indicated  to  us  that  these 
four  users  were 
authorized  to  have  access 
to  the  system  based  on 
daily  interaction 
processing  authorization 
requests.  Confirmed 
through  inquiry  of  the  IT 
Specialist,  User  Creation 
Division,  and  observed  a 
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sample  of  user  access 
forms  to  that  DPAS  user 
accounts  and  necessary 
documentation  was  on 
file. 

30 

T  elecommunications 
controls  are  properly 
implemented  in 
accordance  with 
authorizations  that  have 
been  granted. 

DISA-OKC 

The  following  are  used  to 
provide 

telecommunication 

controls: 

•  ACLs, 

•  IDS, 

•  Firewalls, 

•  Encryption,  and 

•  Network 
monitoring. 

DISA-OKC 

Confirmed  through  inquiry  that 
telecommunications  controls  were 
implemented. 

Observed  the  existence  of  ACL, 

IDS,  Firewalls,  Encryption,  and 
Network  monitoring  controls. 

Using  an  automated  tool, 
performed  passive  network 
monitoring  of  DPAS  related 
network  traffic  over  a  period  of  10 
days  to  test  for  unauthorized 
network  connections. 

No  relevant  exceptions 
noted. 

31 

Procedures  are  in  place 
to  clear  sensitive 
information  and 
software  from 
computers,  disks,  and 
other  equipment  or 
media  when  they  are 
disposed  of  or 

DISA-Davton 

The  “Disposition  of 
Unclassified  DoD 
Computer  Hard  Drives” 
policy  is  followed  for  the 
disposal  of  equipment 
containing  sensitive 
information  and 

DISA-Davton 

Read  the  “Disposition  of 

Unclassified  DoD  Computer  Hard 
Drives”  policy  used  by  DISA- 
Dayton. 

We  confirmed  policy  was  being 
used  through  the  DPAS  Database 

No  relevant  exceptions 
noted. 
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transferred  to  another 

use. 

software. 

Administrator. 

Observed  the  destroyed  hard  drives 
located  at  DISA-Dayton. 

32 

Audit  trails  are 
maintained  at  the 
application  layer, 
operating  system,  and 
database  layer. 

DISA-Oeden,  DISA- 
Dayton 

Operating  System  and 
database  audit  files  are 
periodically  moved  to  an 
audit  server  located  at 
Ogden.  The  audit  files 
are  then  transferred  to 

CD  and  stored  on  site  for 
one  year.  After  one  year, 
the  CDs  are  destroyed. 

DFAS-Columbus 

The  DPAS  application 
maintains  a  History 
Inquiry  of  each  asset  that 
allows  a  user  to  view  an 
audit  trail  of  transactions 
for  an  asset. 

DISA-Oeden,  DISA-Davton 
Confirmed  through  inquiry  that 
DISA-Ogden,  DISA-Dayton,  and 
DFAS-Columbus  had  implemented 
audit  trails  at  the  application  layer, 
operating  system,  and  database 
layer.  Confirmed  through  inquiry 
of  the  Assistant  ISSO  that  audit 
trails  were  maintained  and  logs 
were  read.  Confirmed  through 
inquiry  of  the  DPAS  DBA  and  SA 
that  DISA-Ogden  personnel 
routinely  reviewed  the  logs. 

Confirmed  through  inquiry  and 
observation  that  audit  logs  included 
activities  that  might  modify,  bypass, 
or  negate  safeguards  controlled  by 
the  system  and  the  Audit  trails  were 
stored  on  CDs  in  the  DISA-Ogden 
facility  and  protected  against 
unauthorized  access,  modification, 
or  deletion  and  were  maintained  for 

No  relevant  exceptions 
noted. 
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1  year  and  then  destroyed. 

DFAS-Columbus 

Observed  that  the  DPAS  History 
Inquiry  captured  transactional 
activity  of  asset. 

33 

The  contents  of  audit 
trails  are  protected 
against  unauthorized 
access,  modification  or 
deletion. 

DISA-Oeden,  DISA- 
Dayton 

Only  the  IAM,  the 
Assistant  IAM,  Database 
Administrator  and  the 
HP/UX  System 
Administrators  had 
access  to  the  audit  trails. 

DISA-Oeden,  DISA-Davton 

Read  the  policy  and  procedures  for 
protection  of  the  audit  trails  and 
noted  that  policy  limiting  access  to 
these  audit  trails  was  documented. 

Observed  that  only  the  IAM,  the 
Assistant  IAM,  Database 
Administrator  and  the  HP/UX 
Systems  Administrators  had  access 
to  the  audit  trails.  Attempted  to 
access  the  audit  trails  using  a  test 
account. 

No  relevant  exceptions 
noted. 

34 

Tools  are  available  for 
the  review  of  audit 
records  and  for  report 
generation  from  audit 
records. 

DISA-Oeden,  DISA- 
Davton 

The  Hewlett  Packard 
Audit  Trail  tools  can  be 
used  to  review  and 

DISA-Oeden,  DISA-Davton 
Confirmed  through  inquiry  of 
DISA-Ogden  personnel  that  a  tool 
was  not  available  to  efficiently 
review  audit  records. 

DISA-Ogden  did  not 
have  a  software  tool 
available  to  proactively 
monitor  or  review 
operating  system  audit 
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report  existing  audit 
records. 

trails  because  they  did 
not  have  the  appropriate 
software  tool  that  would 
allow  them  to  efficiently 
analyze  large  volumes  of 
audit  log  data. 

35 

Actual  or  attempted 
unauthorized,  unusual, 
or  sensitive  network 
access  is  monitored. 

DISA-Oeden,  DISA- 
OKC 

Authorized  and 
unauthorized  network 
access  is  monitored 
through  Transmission 
Control  Protocol  (TCP) 
Wrapper  and  Klaxon  or 
Banshee.  Host  based 

IDS  (Symantec 

Enterprise  Security 
Manager  (ESM) 
and  Intruder  Alert)  are 
installed  on  all  Unix 

servers. 

DISA-Oeden,  DISA-OKC 

Inquired  with  the  System 
Administrator  to  confirm  that 
unauthorized,  unusual,  or  sensitive 
access  was  monitored. 

Confirmed  through  inquiry  and 
observation  that  DISA  currently 
had  network,  firewall,  and  IDS  logs. 
These  logs  were  monitored  and 
maintained  to  include  full  audit 
trails  including  syslogs  and  were 
retained  indefinitely. 

Confirmed  through  inquiry  and 
observation  that  authorized  and 
unauthorized  network  access 
authorizations  were  appropriately 
limited  by  user  management,  ACLs, 
Firewalls,  authentication,  and 
network  monitoring. 

No  relevant  exceptions 
noted. 
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36 

Suspicious  or  irregular 
access  activity  is 
investigated  and 
appropriate  action 
taken. 

DISA-Oeden 

When  suspicious  activity 
is  detected,  an  initial 
investigation  is 
performed.  If  deemed  an 
actual  event,  the 
Continental  U.S. 

(CONUS)  Regional 
Computer  Emergency 
Response  Team’s 
(RCERT)  is  notified  and 
action  is  taken  as 
required. 

DISA-Oeden 

Inquired  with  System 

Administrator  to  confirm  that 
suspicious  or  irregular  access 
activity  was  investigated  and 
appropriate  actions  were  taken. 

Obtained  and  read  evidence  that 
the  investigations  and  corrective 
actions  had  taken  place. 

No  relevant  exceptions 
noted. 

37 

The  acquisition, 
development,  and/or  use 
of  mobile  code  to  be 
deployed  in  DoD  systems 
meet  current  guidelines, 
standards  and 
regulations. 

DISA-Oeden 

No  mobile  code  is  used 
on  the  DPAS  servers. 

DISA  Oklahoma  Citv 
(DISA-OKC) 

All  IA  devices  have  been 
approved  by  NSA  or  in 
accordance  with  NSA 
before  acquiring  and 
implementing. 

DISA-Oeden 

Inspected  the  DoD  systems 
guidelines,  standards,  and 
regulations  concerning  mobile 
codes. 

Inquired  with  the  System 
Administrator  to  confirm  that  the 
acquisition,  development,  and  use  of 
mobile  code  to  be  deployed  in  DoD 
systems  met  current  guidelines, 

No  relevant  exceptions 
noted. 
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standards  and  regulations. 

DISA-OKC 

Confirmed  through  inquiry  that 
DISA-OKC  verified  NS  A 
evaluation  or  evaluation  in 
accordance  with  NSA  approval  for 
all  IA  related  products. 

Read  the  National  Information 
Assurance  Partnership  (NIAP) 
website  and  confirmed  that  the 
website  provided  a  list  of  approved 
products  that  included  the  products 
being  used  by  DPAS. 

38 

All  servers,  workstations 
and  mobile  computing 
devices  implement  virus 
protection  that  includes 
a  capability  for 
automatic  updates. 

DISA-Oeden,  DISA- 
Davton 

All  servers,  workstations 
and  mobile  computing 
devices  implement  virus 
protection  that  includes  a 
capability  for  automatic 
updates. 

DISA-Oeden,  DISA-Davton 

Observed  that  all  servers, 
workstations  and  mobile  computing 
devices  implemented  virus 
protection  that  included  a 
capability  for  automatic  updates  for 
all  DPAS  locations. 

Obtained  print  screen  as  evidence 
that  virus  protection  settings  had 
been  configured. 

No  relevant  exceptions 
noted. 
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39 

All  Virtual  Private 
Network  (VPN)  traffic  is 
visible  to  network  IDS. 

DISA-OKC 

All  network  traffic, 
including  VPN  traffic  is 
visible  to  the  RealSecure 
IDS. 

DISA-OKC 

Inquired  with  System 

Administrators  to  confirm  that  all 
VPN  traffic  was  visible  to  network 
IDS. 

Read  system  network  diagram  and 
corroborated  with  the  SA  to 
confirm  that  VPN  traffic  was 
included  on  the  diagram. 

No  relevant  exceptions 
noted. 

40 

At  a  minimum,  medium¬ 
robustness  Commercial 
Off-the-Shelf  IA  and  IA- 
enabled  products  are 
used  to  protect  sensitive 
information  when  the 
information  transits 
public  networks  or  the 
system  handling  the 
information  is  accessible 
by  individuals  who  are 
not  authorized  to  access 
the  information  on  the 
system. 

DISA-OKC 

All  networks  managed 
by  DISA-OKC  have  been 
encrypted  in  accordance 
with  the  National 

Institute  of  Standard  and 
Technology  (NIST) 
cryptography  standards. 

DISA-OKC 

Inquired  with  Key  Personnel  to 
confirm  that  medium-robustness 
Commercial  off-the-Shelf  IA  and 
IA-enabled  products  were  used  to 
protect  sensitive  information  when 
the  information  transited  public 
networks  or  the  system  handling 
the  information  was  accessible  by 
individuals  who  were  not 
authorized  to  access  the 
information  on  the  system  for  each 
of  the  DPAS  locations. 

Using  an  automated  tool, 
performed  passive  network 
monitoring  of  DPAS  related 
network  traffic  over  a  period  of  10 

No  relevant  exceptions 
noted. 
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days  to  test  for  unencrypted  traffic 
transmitted  over  commercial  or 
wireless  networks. 

41 

Unless  there  is  an 
overriding  technical  or 
operational  problem, 
workstation  screen-lock 
functionality  is 
associated  with  each 
workstation. 

DISA-Oeden 

Unless  there  is  an 
overriding  technical  or 
operational  problem, 
workstation  screen-lock 
functionality  is 
associated  with  each 
workstation.  When 
activated,  the  screen-lock 
function  places  an 
unclassified  pattern  onto 
the  entire  screen  of  the 
workstation,  totally 
hiding  what  was 
previously  visible  on  the 

screen. 

DISA-Oeden 

Confirmed  through  observation 
that  workstation  screen-lock 
functionality  was  applied.  If 
screen-locks  were  not  being  used, 
confirmed  through  inquiry  the 
reason  with  the  DPAS  SA. 

No  relevant  exceptions 
noted. 

42 

Instant  messaging  traffic 
to  and  from  instant 
messaging  clients  that 
are  independently 
configured  by  end  users 
and  that  interact  with  a 

DISA-OKC 

Instant  messaging  is 
prohibited  at  all  DISA 
sites. 

DISA-OKC 

Inquired  with  DISA-Ogden  Staff  to 
confirm  that  no  instant  messaging 
was  used. 

Using  an  automated  tool, 

No  relevant  exceptions 
noted. 
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public  service  provider  is 
prohibited  within  DoD 
information  systems. 

performed  passive  network 
monitoring  of  DPAS  related 
network  traffic  over  a  period  of  10 
days  to  test  for  instant  messaging 
traffic. 

43 

For  Automated 
Information  System 
applications,  a  list  of  all 
(potential)  hosting 
enclaves  is  developed 
and  maintained  along 
with  evidence  of 
deployment  planning 
and  coordination  and  the 
exchange  of  connection 
rules  and  requirements. 

DISA-Oeden 

The  DPAS  hosting 
enclaves  are  documented 
in  the  DPAS  SSAA. 

DISA-Oeden 

Read  the  DPAS  SSAA  to  confirm 
the  DPAS  enclave  and  backup 
enclave  had  been  identified  and 
documented. 

No  relevant  exceptions 
noted. 

44 

Group  authenticators  for 
application  or  network 
access  may  be  used  only 
in  conjunction  with  an 
individual  authenticator. 

DISA-Oeden 

A  SAAR  Form  2875  is 
sent  to  Ogden  to  request 
access  to  DPAS.  Ogden 
then  verifies  required 
field  contents  and 
signatures.  Ogden 
creates  User  IDs  and 
passwords  and  retains 
the  Form  2875.  User 
location’s  DPAS  Security 
Officer  applies  the  user 

DISA-Oeden 

Confirmed  through  inquiry  if  group 
authenticators  for  application  or 
network  access  were  used  only  in 
conjunction  with  an  individual 
authenticator.  Confirmed  through 
inquiry  that  if  used  in  conjunction 
with  individual  authenticators 
approval  had  been  given  by  the 

DAA. 

We  noted  that  4  out  of  45 
users  tested  did  not  have 
a  System  Access 
Authorization  Request 
form  on  file. 

According  to  DISA- 
Ogden  personnel,  the 
missing  forms  resulted 
from  the  transfer  of 
responsibility  for  the 
forms  from  DISA- 
Dayton  to  DISA-Ogden. 
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access  permissions. 

DFAS-Columbus 

Users  must  possess  a 
valid  User  ID  and 
password  to  gain  access 
to  DPAS. 

Inspected  a  haphazard  sample  of 
SAAR  Form  2875  to  confirm  that 
each  Form  2875  detailed  the  user’s 
justification  for  access,  security 
clearance  level,  and  that  each  Form 
2875  was  properly  approved. 

DFAS-Columbus 

Observed  DPAS  to  confirm  that 
users  must  possess  a  valid  Login 
and  Password  to  gain  access  to  the 
system.  Observed  the  entering  of  an 
invalid  User  ID  and  password  to 
confirm  that  the  system  displayed 
an  error  message  to  the  user. 

DISA-Ogden  believed 
they  were  lost  during  the 
physical  transfer  of  the 
forms  from  DISA- 
Dayton  to  DISA-Ogden. 
The  DISA-Ogden 

Contract  Technical 
Requirement  Analyst 
indicated  to  us  that  these 
four  users  were 
authorized  to  have  access 
to  the  system  based  on 
daily  interaction 
processing  authorization 
requests.  Confirmed 
through  inquiry  of  the  IT 
Specialist,  User  Creation 
Division,  and  observed  a 
sample  of  user  access 
forms  to  that  DPAS  user 
accounts  and  necessary 
documentation  was  on 
file. 

45 

To  help  prevent 
inadvertent  disclosure  of 

DISA-Osden 

All  contractors  are 

DISA-Osden 

Obtained  a  listing  of  all  contractor 

No  relevant  exceptions 
noted. 
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controlled  information, 
all  contractors  and 
foreign  nationals  are 
identified  by  e-mail 
addresses  and  display 
names. 

identified  by  the 
inclusion  of  the 
abbreviation  “ctr”  and 
all  foreign  nationals  are 
identified  by  the 
inclusion  of  their  two 
character  country  code. 

and  foreign  national  email 
addresses  and  display  names  for 
DISA  Ogden  and  confirmed  that 
their  proper  identifications  were 
present. 

46 

Unclassified,  sensitive 
data  transmitted 
through  a  commercial  or 
wireless  network  are 
encrypted  using  NIST- 
certified  cryptography. 

DISA-OKC 

All  networks  managed 
by  DISA-OKC  have  been 
encrypted  in  accordance 
with  NIST  cryptography 
standards. 

DISA-OKC 

Inquired  with  Key  Personnel  to 
confirm  that  NIST  cryptography 
was  used  to  protect  information 
when  the  information  transited 
public  networks  or  the  system 
handling  the  information  was 
accessible  by  individuals  who  were 
not  authorized  to  access  the 
information  on  the  system  for  each 
of  the  DPAS  locations. 

Using  an  automated  tool, 
performed  passive  network 
monitoring  of  DPAS  related 
network  traffic  over  a  period  of  10 
days  and  confirmed  that  no 
unencrypted  traffic  was  transmitted 

No  relevant  exceptions 
noted. 
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over  commercial  or  wireless 
networks. 

47 

Discretionary  access 
controls  are  a  sufficient 

IA  mechanism  for 
connecting  DoD 
information  systems 
operating  at  the  same 
classification,  but  with 
different  need-to-know 

access  rules. 

DISA-OKC 

ACLs  have  been 
implemented  for 
interconnections  among 
DoD  information 
systems.  The  ACLs  are 
controlled  by  DISA- 
OKC. 

DISA-OKC 

Confirmed  through  inquiry  that  a 
controlled  interface  was  used  for 
interconnections  among  the  DoD 
information  systems  that  were 
connected  to  DPAS. 

Observed  the  existence  of  the  ACLs 
at  DISA-Dayton  by  having  a 
network  administrator  display  the 
listing  on  his  desktop. 

No  relevant  exceptions 
noted. 

48 

Conformance  testing 
that  includes  periodic, 
unannounced,  in-depth 
monitoring  and  provides 
for  specific  penetration 
testing  to  ensure 
compliance  with  all 
vulnerability  mitigation 
procedures  is  planned, 
scheduled,  and 
conducted. 

DISA-Oeden 

An  unannounced  ISS 
scan  is  performed 
monthly.  Automated 

SRR  scripts  are  run  on 
each  server  and  reported 
to  the  Montgomery  SRR 
database  on  a  weekly 
basis.  Each  system  has 
an  SRR  and  an  ISS  scan 
before  it  is  connected  to 
the  network.  The  DISA 
Field  Security  Office 
runs  periodic  SRRs  and 

DISA-Oeden 

Confirmed  through  inquiry  that 
conformance  testing  was  performed 
that  included  periodic, 
unannounced,  in-depth  monitoring 
and  provided  for  specific 
penetration  testing  to  confirm 
compliance  with  all  vulnerability 
mitigation  procedures  was  planned, 
scheduled,  and  conducted. 

Confirmed  through  inquiry  that 
DISA-Ogden  did  not  perform 
periodic  network  penetration 

DISA-Ogden  did  not 
perform  periodic 
network  penetration 
testing  to  identify 
vulnerabilities  with  the 
DPAS  architecture. 
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ISS  scans.  DISA-Ogden 
conducts  an  operation 
facility  environmental 
risk  assessment. 

testing. 

Inspected  ISS  scans  and  obtained 
evidence  that  the  conformance  and 
penetration  testing  was  being 
completed. 

49 

All  users  are  warned  that 
they  are  entering  a 

Government  information 
system. 

DISA-Oeden;  DISA- 
Davton 

A  warning  banner 
notifies  a  user  that  they 
are  entering  a  DoD 
information  system  when 
they  logon. 

DISA-Oeden;  DISA-Davton 
Observed  that  workstations  display 
a  DoD  warning  banner  at  logon. 

No  relevant  exceptions 
noted. 

50 

Information  and  DoD 
information  systems  that 
store,  process,  transmit, 
or  display  data  in  any 
form  or  format  that  is 
not  approved  for  public 
release  comply  with  all 
requirements  in  policy 
and  guidance  documents. 

DISA-Oeden 

Unless  there  is  an 
overriding  technical  or 
operational  problem, 
workstation  screen-lock 
functionality  is 
associated  with  each 
workstation.  When 
activated,  the  screen-lock 
function  places  an 
unclassified  pattern  onto 
the  entire  screen  of  the 
workstation,  totally 
hiding  what  was 

DISA-Oeden 

Confirmed  through  observation 
that  workstation  screen-lock 
functionality  was  applied. 

Inquired  with  key  personnel  to 
confirm  that  information  in  transit 
through  a  network  at  the  same 
classification  level  was  encrypted. 
Using  an  automated  tool, 
performed  passive  network 
monitoring  of  DPAS  related 
network  traffic  over  a  period  of  10 
days  to  test  for  unencrypted  traffic 

No  relevant  exceptions 
noted. 
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previously  visible  on  the 
screen. 

Information  in  transit 
through  a  network  at  the 
same  classification  level 
is  encrypted. 

Work  areas  are  behind 
monitored  entrances  and 
appropriate  placement  of 
cubicles  and 
workstations  is 
implemented. 

transmitted  over  commercial  or 
wireless  networks. 

Observed  that  displays  and  printers 
used  for  classified  information  were 
positioned  to  deter  unauthorized 
individuals  from  reading  the 
information  at  all  of  the  locations. 

51 

Information  in  transit 
through  a  network  at  the 
same  classification  level, 
but  which  must  be 
separated  for  need-to- 
know  reasons,  is 
encrypted,  at  a 
minimum,  with  NIST- 
certified  cryptography. 

DISA-Osden 

Information  in  transit 
through  a  network  at  the 
same  classification  level 
is  encrypted. 

DISA-Oeden 

Inquired  with  key  personnel  to 
confirm  that  information  in  transit 
through  a  network  at  the  same 
classification  level  was  encrypted 
with  NIST-certified  cryptography. 

Using  an  automated  tool, 
performed  passive  network 
monitoring  of  DPAS  related 
network  traffic  over  a  period  of  10 
days  to  test  for  unencrypted 

No  relevant  exceptions 
noted. 
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network  traffic. 

52 

Connections  between 

DoD  enclaves  and  the 
Internet  or  other  public 
or  commercial  wide  area 
networks  require  a 
Demilitarized  Zone. 

DISA-Oeden 

Connections  between 

DoD  enclaves  and  the 
Internet  are  configured 
with  a  Demilitarized 

Zone. 

DISA-Oeden 

Inspected  the  DISA-Ogden  system 
architecture  to  confirm  that 
connections  between  DoD  enclaves 
and  the  Internet  were  configured 
with  a  Demilitarized  Zone. 

No  relevant  exceptions 
noted. 

53 

Boundary  defense 
mechanisms  to  include 
firewalls  and  network 

IDS 

are  deployed  at  the 
enclave  boundary. 

DISA-OKC,  DISA- 
Davton 

DISA-Ogden  and  DISA- 
Dayton  have  boundary 
defense  mechanisms  in 
place  that  include 
firewalls  and  IDSs. 

DISA-OKC,  DISA-Davton 

Inspected  the  DISA-OKC  system 
architecture  to  confirm  that 
boundary  defense  mechanisms  to 
include  firewalls  and  network  IDS 
were  deployed  at  the  enclave 
boundary. 

Read  system  network  diagram  and 
corroborated  with  the  System 
Administrator  to  confirm  that 
defense  mechanisms  were 
employed. 

Observed  the  existence  of  firewalls 
and  IDSs. 

No  relevant  exceptions 
noted. 

54 

Devices  that  display  or 
output  classified  or 
sensitive  information  in 

DISA-Oeden 

Work  areas  are  behind 
monitored  entrances  and 

DISA-Oeden 

Observed  that  displays  and  printers 
were  used  for  classified  information 

No  relevant  exceptions 
noted. 
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human-readable  form 
are  positioned  to  deter 
unauthorized  individuals 
from  reading  the 
information. 

appropriate  placement  of 
cubicles  and 
workstations  is 
implemented. 

and  confirmed  that  these  items 
were  positioned  to  deter 
unauthorized  individuals  from 
reading  the  information  at  all  of  the 
locations. 

55 

Individuals  requiring 
access  to  sensitive 
information  are 
processed  for  access 
authorization  in 
accordance  with  DoD 
personnel  security 
policies. 

DISA-Oeden 

A  Form  2875  is  required 
to  be  completed  by 
anyone  requesting  access 
to  DPAS.  The  form  must 
be  completed  correctly 
and 

have  all  the  required 
signatures. 

DISA-Oeden 

Read  the  policies  and  procedures 
for  gaining  access  to  sensitive 
information. 

Inspected  a  haphazard  sample  of 
SAAR  Form  2875s  to  confirm  that 
each  Form  2875  detailed  the  user’s 
justification  for  access,  security 
clearance  level,  and  that  each  Form 
2875  was  properly  approved. 

We  noted  that  4  out  of  45 
users  tested  did  not  have 
a  System  Access 
Authorization  Request 
form  on  file. 

According  to  DISA- 
Ogden  personnel,  these 
missing  forms  resulted 
from  the  transfer  of 
responsibility  for  the 
forms  from  DISA- 
Dayton  to  DISA-Ogden. 
DISA-Ogden  believed 
they  were  lost  during  the 
physical  transfer  of  the 
forms  from  DISA- 
Dayton  to  DISA-Ogden. 
The  DISA-Ogden 

Contract  Technical 
Requirement  Analyst 
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indicated  to  us  that  these 
four  users  were 
authorized  to  have  access 
to  the  system  based  on 
daily  interaction 
processing  authorization 
requests.  Confirmed 
through  inquiry  of  the  IT 
Specialist,  User  Creation 
Division,  and  observed  a 
sample  of  user  access 
forms  to  that  DPAS  user 
accounts  and  necessary 
documentation  was  on 
file. 

56 

DoD  information 
systems  comply  with 

DoD  ports,  protocols, 
and  services  guidance. 

DISA-Davton 

All  port,  protocols,  and 
services  used  by  DPAS 
are  in  compliance  with 
DoD  standards 
documented  in  the  Unix 
STIG. 

DISA-Davton 

Confirmed  through  the 
performance  of  network  monitoring 
that  DoD  information  systems 
complied  with  DoD  ports,  protocols, 
and  services  guidance,  including  all 
ports,  protocols,  and  services 
whether  currently  active  or  planned 
for  use. 

Confirmed  that  all  ports,  protocols, 
and  services  were  identified  and 

No  relevant  exceptions 
noted. 
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registered. 

Read  the  documentation  of  DPAS 
being  successfully  STIGed. 

57 

Binary  or  machine 
executable  public 
domain  software 
products  and  other 
software  products  with 
limited  or  no  warranty 
are  not  used  in  DoD 
information  systems. 

DISA-Osden 

DPAS  does  not  have 
binary  or  machine 
executable  public 
domain  software 
installed. 

DISA-Oeden 

Read  a  listing  of  software  products 
used  at  DISA-Ogden  to  confirm 
DPAS  did  not  have  binary  or 
machine  executable  public  domain 
software  installed. 

Read  software  inventory  listing  and 
conducted  inquiry  with  the 

Program  Manager  for 

Configuration  Management  to 
confirm  that  binary  or  machine 
executable  public  domain  software 
products  and  other  software 
products  with  limited  or  no 
warranty  were  not  installed  on 

DPAS. 

No  relevant  exceptions 
noted. 

Application  Software  Development  and  Change  Control 

58 

A  system  development 
life  cycle  methodology 
(SDLC)  has  been 
implemented  and 
documented. 

NAVSISA 

A  Change  Management 
Plan  has  been 
implemented, 
documented,  and 

NAVSISA 

Read  the  Change  Management  Plan 
to  confirm  that  it  had  been  updated. 

No  relevant  exceptions 
noted. 
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updated.  NAVSISA 
follows  a  documented 
Software  Configuration 
Management  Plan  for  all 
system  maintenance 
activity. 

59 

Authorizations  for 
software  modifications 
are  documented  and 
maintained. 

NAVSISA 

Using  the  DPAS 

Software  Configuration 
Management  Plan  as  the 
overarching  guidance,  all 
System  Change  Requests 
(SCRs)  are  approved  by 
the  DPAS  Program 
Manager.  Specific 
changes  that  are  to  occur 
as  a  result  of  SCRs  are 
documented  in  the 

System  Subsystem 
Specification  that  is 
developed  by  NAVSISA 
and  provided  to  the 
Software  Director  for 
approval.  Changes 
relating  to  PTRs  are  also 
approved  by  the 

Software  Director. 
Configured  Items  (CIs) 

NAVSISA 

Selected  the  full  population  of  48 
code  and  database  modifications 
that  occurred  during  the  seven 
month  period  under  review 
(September  2004  to  March  2005) 
from  the  DPAS  production  code 
library  (UNIX  directory)  and 
traced  each  modification  to  an 
approved  SCR  or  PTR  and 
confirmed  through  inspection  that 
it  had  been  authorized  by  the 
Program  Manager  or  Software 
Director  and  traced  each  SCR  or 
PTR  identified  above  to  the  Release 
Authorization  Report  to  confirm 
that  the  CIs  had  been  approved  by 
the  Software  Director. 

Inquired  of  key  NAVSISA 
personnel  and  DPAS  users  to 
confirm  the  results  of  the  testing 

No  relevant  exceptions 
noted. 
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related  to  SCRs  and 

PTRs  that  are  identified 
for  a  release  are  tracked 
at  NAVSISA  using 

CMTS.  CMTS  provides 
visibility  at  the 
individual  Cl  level  as  to 
specific  changes  that  are 
being  prepared  for  any 
given  release.  Prior  to  a 
release,  a  Release 
Authorization  Report  is 
prepared  that  identifies 
the  CIs  that  are 
contained  in  the  release. 
The  DPAS  Software 
Director  and  a 
representative  of 
NAVSISA  sign  this 
report  attesting  to  the 

CIs  that  are  to  be 
released  to  production. 

above. 

60 

Use  of  public  domain 
and  personal  software  is 
restricted. 

DFAS-Columbus 

Public  domain  and 
personal  software  must 
be  approved  for  use. 

DFAS-Columbus 

Read  DPAS  SSAA  to  confirm  that 
personal  software  was  restricted. 

Read  inventory  listing  to  confirm 

No  relevant  exceptions 
noted. 
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that  binary  or  machine  executable 
public  domain  software  products 
and  other  software  products  with 
limited  or  no  warranty  were  not 
installed  on  DPAS. 

61 

Changes  are  controlled 
as  programs  progress 
through  testing  to  final 
approval. 

NAVSISA 

Test  plan  standards  have 
been  developed  for  all 
levels  of  testing  that 
define  responsibilities  for 
each  party  including 
users,  system  analysts, 
programmers,  auditors, 
quality  assurance,  and 
library  control. 

Detailed  system 
specifications  are 
prepared  by  the 
programmer  and 
reviewed  by  a 
programming 
supervisor. 

Software  changes  are 
documented  so  that  they 

NAVSISA 

Using  the  same  sample  selected  for 
control  objective  59,  confirmed  that 
the  change  followed  the  appropriate 
test  and  migration  process  by 
inspecting  the  following  for 
completeness  and  authorization: 
o  System  Test  Plan; 
o  Detailed  system 
specifications;  and 
o  Unit,  System  and 

Acceptance  testing  results. 

Inquired  of  key  NAVSISA 
personnel  and  DPAS  users  to 
confirm  the  results  of  the  testing 
above. 

No  relevant  exceptions 
noted. 
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can  be  traced  from 
authorization  to  the  final 
approved  code  and  they 
facilitate  “trace-back”  of 
code  to  design 
specifications  and 
functional  requirements 
by  system  testers. 

Unit,  integration,  and 
system  testing  are 
performed  and  approved 
1)  in  accordance  with  the 
test  plan  and,  2)  applying 
a  sufficient  range  of  valid 
and  invalid  conditions. 

A  comprehensive  set  of 
test  transactions  and 
data  is  developed  that 
represents  the  various 
activities  and  conditions 
that  will  be  encountered 
in  processing. 

Live  data  are  not  used  in 

_ the  testing  of  program _ 
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changes  except  to  build 
test  data  files. 

Test  results  are  reviewed 
and  documented. 

Program  changes  are 
moved  into  production 
only  upon  documented 
approval  from  users  and 
system  development 
management. 

Documentation  is 
updated  for  software, 
hardware,  operating 
personnel,  and  system 
users  when  a  new  or 
modified  system  is 
implemented. 

62 

Emergency  changes  are 
promptly  tested  and 
approved  before  being 
moved  into  production. 

NAVSISA 

Using  the  DPAS 

Software  Configuration 
Management  Plan  as  the 
overarching  guidance,  all 
SCRs  are  approved  by 

NAVSISA 

Selected  the  full  population  of  48 
code  and  database  modifications 
that  occurred  during  the  seven 
month  period  under  review 
(September  2004  to  March  2005) 

No  relevant  exceptions 
noted. 
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the  DPAS  Program 
Manager.  Specific 
changes  that  are  to  occur 
as  a  result  of  SCRs  are 
documented  in  the 

System  Subsystem 
Specification  that  is 
developed  by  NAVSISA 
and  provided  to  the 
Software  Director  for 
approval.  Changes 
relating  to  PTRs  are  also 
approved  by  the 

Software  Director.  CIs 
related  to  SCRs  and 

PTRs  that  are  identified 
for  a  release  are  tracked 
at  NAVSISA  using  the 
CMTS.  CMTS  provides 
visibility  at  the 
individual  Cl  level  as  to 
specific  changes  that  are 
being  prepared  for  any 
given  release.  Prior  to 
release,  a  Release 
Authorization  Report  is 
prepared  that  identifies 
the  CIs  that  are 

from  the  DPAS  production  code 
library  (UNIX  directory)  and 
traced  each  modification  to  an 
approved  SCR  or  PTR  and 
confirmed  through  inspection  that 
it  had  been  authorized  by  the 
Program  Manager  or  Software 
Director  and  traced  each  SCR  or 
PTR  identified  above  to  the  Release 
Authorization  Report  to  confirm 
that  the  CIs  had  been  approved  by 
the  Software  Director. 

Inquired  of  key  NAVSISA 
personnel  and  DPAS  users  to 
confirm  the  results  of  the  testing 
above. 

Using  the  same  sample  selected 
above,  confirmed  that  the  change 
followed  the  appropriate  test  and 
migration  process  by  inspecting  the 
following  for  completeness  and 
authorization: 

o  System  Test  Plan  (STP); 
o  Detailed  system 
specifications;  and 
o  Unit,  System  and 
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contained  in  the  release. 
The  DPAS  Software 
Director  and  a 
representative  of 
NAVSISA  signs  this 
report  attesting  to  the 

CIs  that  are  to  be 
released  to  production. 

Acceptance  testing  results. 

Inquired  of  key  NAVSISA 
personnel  and  DPAS  users  to 
confirm  the  results  of  the  testing 
above. 

Test  plan  standards  have 
been  developed  for  all 
levels  of  testing  that 
define  responsibilities  for 
each  party  including 
users,  system  analysts, 
programmers,  auditors, 
quality  assurance,  and 
library  control. 

Detailed  system 
specifications  are 
prepared  by  the 
programmer  and 
reviewed  by  a 
programming 
supervisor. 
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Software  changes  are 
documented  so  that  they 
can  be  traced  from 
authorization  to  the  final 
approved  code  and  they 
facilitate  “trace-back”  of 
code  to  design 
specifications  and 
functional  requirements 
by  system  testers. 

Unit,  integration,  and 
system  testing  are 
performed  and  approved 
1)  in  accordance  with  the 
test  plan  and,  2)  applying 
a  sufficient  range  of  valid 
and  invalid  conditions. 

A  comprehensive  set  of 
test  transactions  and 
data  is  developed  that 
represents  the  various 
activities  and  conditions 
that  will  be  encountered 
in  processing. 
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Live  data  are  not  used  in 
testing  of  program 
changes  except  to  build 
test  data  files. 

Test  results  are  reviewed 
and  documented. 

Program  changes  are 
moved  into  production 
only  on  documented 
approval  from  users  and 
system  development 
management. 

Documentation  is 
updated  for  software, 
hardware,  operating 
personnel,  and  system 
users  when  a  new  or 
modified  system  is 
implemented. 

63 

Distribution  and 
implementation  of  new 
or  revised  software  is 
controlled. 

NAVSISA 

A  Release  Authorization 
Report  is  prepared  that 
identifies  the  CIs  that  are 
contained  in  the  release 

NAVSISA 

Using  the  same  sample  selected  for 
control  objective  59,  confirmed  that 
the  change  followed  the  appropriate 
distribution  process  by  inspecting 
the  Release  Authorization  Report 

No  relevant  exceptions 
noted. 
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and  approves  the  release 
for  distribution. 

for  completeness  and  authorization. 

Inquired  of  key  NAVSISA 
personnel  and  DPAS  users  to 
confirm  the  results  of  the  testing 
above. 

64 

Programs  are  labeled 
and  inventoried. 

NAVSISA 

Major  release  CIs  for 

CCB  approved  SCR’s 
are  entered  into  CMTS 
using  the  impact  cost 
analysis  forms  for  each 
SCR.  All  additions, 
changes,  or  deletions  to 
the  production  baseline 
SCR  are  submitted  to  the 
Change  Management  for 
approval.  All  CIs  are 
assigned  identification 
numbers. 

NAVSISA 

Using  the  same  sample  selected  for 
control  objective  59,  confirmed  that 
the  Cl  that  was  changed  had  been 
approved,  labeled,  assigned  an  ID, 
and  inventoried  in  CMTS. 

Inquired  of  key  NAVSISA 
personnel  and  DPAS  users  to 
confirm  the  results  of  the  testing 
above. 

No  relevant  exceptions 
noted. 

65 

Access  to  program 
libraries  is  restricted  to 
appropriate  personnel. 

NAVSISA 

Authorized  individuals 
are  restricted  to  only 
specifically  assigned 
libraries  by  the  DPAS 
Librarian. 

NAVSISA 

Observed  the  DPAS  Librarian  to 
demonstrate  how  the  development 
and  production  libraries  were 
controlled. 

Inspected  the  ACLs  for  the 
Production  and  Development 

No  relevant  exceptions 
noted. 
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libraries  (directories)  to  confirm 
that  only  authorized  personnel  had 

access. 

Observed  a  system  developer 
attempt  to  update  the  production 
library  to  confirm  that  access  to  the 
production  library  was  restricted. 

Inquired  of  key  NAVSISA 
personnel  and  DPAS  users  to 
confirm  the  results  of  the  testing 
above. 

66 

Acquisition  or 
outsourcing  of  IT 
services  explicitly 
addresses  Government, 
service  provider,  and  end 
user  IA  roles  and 
responsibilities. 

NAVSISA 

The  contract  agreement 
(GS-07T -00-BGD-0063) 
and  Statement  of  Work 
with  General  Dynamics, 
who  performs  code 
development  services  for 
NAVSISA  in  support  of 
DPAS,  expressly 
addresses  task,  required 
skill  sets,  security 
investigations  and 
nondisclosure 
agreements  for  the 

NAVSISA 

Inspected  the  General  Dynamics 
contract  agreement  to  confirm  if  it 
expressly  addressed  Government, 
service  provider  and  end-user  IA 
roles  and  responsibilities. 

Inquired  of  key  NAVSISA 
personnel  and  DPAS  users  to 
confirm  the  results  of  the  testing 
above. 

No  relevant  exceptions 
noted. 
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support  of  DPAS 
services. 

67 

The  acquisition  of  all  IA- 
and  IA-enabled  GOTS 

IT  products  is  limited  to 
products  that  have  been 
evaluated  by  the  NSA  or 
in  accordance  with  NSA- 
approved  processes. 

DISA-OKC 

All  IA  devices  have  been 
approved  by  NSA  or  in 
accordance  with  NSA 
approval  processes 
before  acquiring  and 
implementing. 

DISA-OKC 

Confirmed  through  inquiry  that 
DISA-OKC  verified  that  all  IA 
related  products  were  approved  by 
NSA  or  in 

accordance  with  NSA  approved 
processes. 

Inspected  the  NIAP  website  and 
confirmed  that  the  website  provided 
a  list  of  approved  products 
including  the  products  used  by 

DPAS. 

No  relevant  exceptions 
noted. 

68 

Movement  of  programs 
and  data  among  libraries 
is  controlled. 

NAVSISA 

A  Release  Authorization 
Report  is  prepared  that 
identifies  the  CIs  that  are 
contained  in  the  release 
and  approves  the  release 
for  distribution. 

NAVSISA 

Using  the  same  sample  selected  for 
control  objective  59,  confirmed  that 
the  changes  selected  for  testing 
followed  the  appropriate 
distribution  process  by  inspecting 
the  Release  Authorization  Report 
for  completeness  and  authorization. 

Inquired  of  key  NAVSISA 
personnel  and  DPAS  users  to 
confirm  the  results  of  the  testing 

No  relevant  exceptions 
noted. 
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above. 

69 

Software  quality 
requirements  and 
validation  methods  that 
are  focused  on  the 
minimization  of  flawed 
or  malformed  software 
that  can  negatively 
impact  integrity  or 
availability,  such  as 
buffer  overruns,  are 
specified  for  all  software 
development  initiatives. 

DFAS-Columbus 

The  DPAS  Security 
Specialist  at  DFAS- 
Columbus  receives 

DPAS  Release  Notes 
from  NAVSISA- 
Mechanicsburg.  The 

DPAS  Security  Specialist 
then  reviews  the  DPAS 
Release  Notes  for 
changes  related  to 
security.  The  Testing 
Director  at  NAVSISA- 
Mechanicsburg  develops 
test  plans  for  testing 
security-related  changes. 
The  DPAS  Security 
Specialist  then  reviews 
these  test  plans  and 
assists  in  the  testing  of 
security-related  changes 
included  in  the  DPAS 
Release. 

NAVSISA 

Test  plan  standards  have 
been  developed  for  all 

DFAS-Columbus 

Inquired  of  DPAS  Security 

Specialist  at  DFAS-Columbus  as  to 
his  roles  and  responsibilities  for  the 
release  of  security-related  changes 
included  in  DPAS  Releases. 

Observed  release  notes  for  all 
major  DPAS  production  releases 
that  occurred  during  the  audit 
period  at  NAVSISA- 
Mechanicsburg. 

NAVSISA 

Using  the  same  sample  selected  for 
control  objective  59,  confirmed  that 
the  change  followed  the  appropriate 
test  and  migration  process  by 
inspecting  the  following  for 
completeness  and  authorization: 
o  System  Test  Plan; 
o  Detailed  system 
specifications;  and 
o  Unit,  System  and 

Acceptance  testing  results. 

Inquired  of  key  NAVSISA 

No  relevant  exceptions 
noted. 
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levels  of  testing  that 
define  responsibilities  for 
each  party  (e.g.,  users, 
system  analysts, 
programmers,  auditors, 
quality  assurance,  and 
library  control). 

personnel  and  DPAS  users  to 
confirm  the  results  of  the  testing 
above. 

System  Software  Controls 

70 

Access  authorizations 
are  appropriately 
limited. 

DISA-OKC, 

DISA-Oeden 

ACLs,  user  management 
controls,  firewalls,  IDS, 
and  authentications  are 
used  to  control  network 

access. 

Users  must  have  the 
same  level  of  access  of 
the  system  they  are 
trying  to  access,  have  an 
established  username 
and  password,  and  be 
allowed  through  the 
router  and  firewall. 

DISA-OKC 

Read  the  policies  and  procedures 
for  restricting  access  to  the  systems 
software  to  confirm  that  they  were 
up-to-date. 

DISA-Oeden 

Obtained  a  list  from  the 
Discretionary  Access  Control  of  all 
individuals  who  had  direct  access  to 
the  system  software  and  selected  a 
haphazard  sample  of  Ogden  users 
with  direct  access.  For  each  user 
selected,  confirmed  with  key 
management  personnel  that  these 
users  were  authorized  to  have  this 

access. 

No  relevant  exceptions 
noted. 
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71 

All  access  paths  have 
been  identified  and 
controls  implemented  to 
prevent  or  detect  access 
for  all  paths. 

DISA-OKC 

The  following  are  used  to 
provide 

telecommunication 

controls: 

•  ACLs 

•  IDS 

•  Firewalls 

•  Encryption,  and 

•  Network 
monitoring. 

ACLs  have  been 
implemented  for 
interconnections  among 
DoD  information 
systems.  The  ACLs  are 
controlled  by  DISA- 
OKC. 

DISA-OKC 

Through  observation  and  inquiry, 
confirmed  that  telecommunications 
controls  were  properly 
implemented. 

Obtained  policy  and  procedures 
relating  to  DoD  information 
systems  access  controls  to  confirm 
they  existed. 

Through  observation  and  inquiry, 
confirmed  that  a  controlled 
interface  was  used  for 
interconnections  among  the  DoD 
information  systems  that  were 
connected  to  DPAS. 

Observed  the  existence  of  ACL, 

IDS,  Firewalls,  Encryption,  and 
Network  monitoring. 

Reviewed  output  on  computer 
monitor  and  conducted  inquiry  of 

IT  Specialist. 

No  relevant  exceptions 
noted. 

72 

Policies  and  techniques 
have  been  implemented 

DISA-Oeden 

The  system  utilities  that 

DISA-Oeden 

Inquired  with  key  Ogden  personnel 

Standard  Operating 
Procedures  and  DISA- 
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for  using  and  monitoring 
the  use  of  system 
utilities. 

support  DPAS  are 
limited  to  root  access 
only. 

Policies  and  procedures 
for  using  and  monitoring 
the  use  of  system 
software  utilities  exist 
and  are  up-to-date. 

Responsibilities  for  using 
sensitive  system  utilities 
have  been  clearly  defined 
and  are  understood  by 
systems  programmers. 

Responsibilities  for 
monitoring  use  are 
defined  and  understood 
by  technical 
management. 

The  use  of  sensitive 
system  utilities  is  logged 
using  access  control 
software  reports  or  job 
accounting  data. 

to  confirm  how  root  access  was 
administered.  Obtained  the  list  of 
individuals  with  root  access  and 
conferred  with  Management  that 
access  was  appropriate  and  that  the 
use  of  accounts  with  root  access  was 
logged. 

Read  the  policies  and  procedures 
for  the  monitoring  of  systems 
software  to  confirm  that  they 
existed  and  were  current. 

Read  a  sample  of  the  audit  logs 
from  the  DPAS  servers  to  confirm 
that  key  Ogden  personnel  reviewed 
the  logs  on  a  regular  basis  and  that 
any  issues  noted  were  documented 
and  researched. 

Ogden  SSAA  were  not 
updated  to  reflect 
current  processes  and 
procedures. 

In  addition,  DISA-Ogden 
did  not  proactively 
monitor  or  review  audit 
trails  since  it  did  not 
have  the  tools  to  perform 
such  monitoring. 

During  our  fieldwork,  we 
noted  that  standard 
operating  procedures 
had 

been  subsequently 
documented. 

73 

System  software  changes 

DISA-Davton 

DISA-Davton 

No  relevant  exceptions 

85 


CO  Control  Objective  Control  Activity  Test  Procedure 

No. 


are  authorized,  tested, 
and  approved  before 
implementation. 


DPAS  system  software 
patches  and  upgrades 
are  applied  in 
accordance  with 
Information  Assurance 
Vulnerability  Alert 
bulletins  or  DISA-Ogden 
policy  unless  otherwise 
noted  in  the  Service- 
Level  Agreement  (SLA). 

Current  policies  and 
procedures  exist  for 
identifying,  selecting, 
installing,  and  modifying 
system  software. 


New  system  software 
versions  or  products  and 
modifications  to  existing 
system  software  receive 
proper  authorization  and 
are  supported  by  a 
change  request 
document. 

New  system  software 


Obtained  and  read  the  change 
management  policies  and 
procedures  for  systems  software  to 
confirm  that  they  existed  and  were 
current. 

Obtained  a  list  of  all  system 
software  purchases  and 
modifications  from  September  1, 
2004  through  April  30,  2005  and 
tested  the  full  population  of 
modifications.  For  each 
modification,  obtained  the  change 
request  document  for  each 
modification  and  confirmed  that 
each  modification  was  approved  by 
key  Ogden  personnel  prior  to 
implementation  and  that  each 
modification  was  tested  and  the  test 

results  were  approved  prior  to  the 
modification  being  implemented. 

Obtained  a  list  of  all  emergency 
changes  implemented  from 
September  1,  2004  through  April 
30,  2005  and  confirmed  through 
inspection  that  these  changes _ 


Results  of  Testing 


noted. 
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versions  or  products  and 
modifications  to  existing 
system  software  are 
tested  and  the  test  results 
are  approved  before 
implementation. 

All  emergency  changes 
follow  the  change 
management  process  and 
must  be  approved  prior 
to  implementation. 

followed  a  change  management 
process  and  were  tested  and 
approved  prior  to  implementation. 

74 

Installation  of  system 
software  is  documented 
and  reviewed. 

DISA-Oeden 

DPAS  system  software 
and  patch  installations 
are  tracked  through 
HP/UX  software  utilities. 

Installation  of  system 
software  is  scheduled  to 
minimize  the  impact  on 
data  processing  and 
advance  notice  is  given  to 
system  users. 

Migration  of  tested  and 
approved  system 
software  to  production  is 
performed  by  an 

DISA-Oeden 

Confirmed  through  inquiry  that 
changes  to  the  HP/UX  servers  were 
managed  and  logged  in  the  CMS. 

Using  the  sample  of  system  software 
modification/implementations 
selected  for  control  objective  73, 
confirmed  that  users  were  notified 
of  the  modification  prior  to 
implementation. 

Obtained  the  system  software  audit 
logs  that  showed  each  change 
selected  above  being  implemented. 
Confirmed  with  key  Ogden 
personnel  that  the  logs  were 

DISA-Ogden  did  not 
have  a  software  tool 
available  to  proactively 
monitor  or  review 
operating  system  audit 
trails  because  they  did 
not  have  the  appropriate 
tool  that  would  allow 
them  to  efficiently 
analyze  large  volumes  of 
audit  log  data  to  identify 
potential  high  risk  and 
unusual  system  activity. 
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independent  source. 

Installation  of  all  system 
software  is  logged  to 
establish  an  audit  trail 
and  reviewed  by 
management. 

All  system  software  is 
current  and  has  current 
and  complete 
documentation. 

reviewed. 

Obtained  the  list  of  personnel  with 
access  to  migrate  system  software 
modifications  from  the  test 
environment  to  the  production 
environment  and  confirmed  with 
Management  that  an  appropriate 
individual  migrated  each  of  the 
selected  modifications. 

Observed  the  presence  of  HP/UX 
software  utilities  on  the  DPAS 

servers. 

Read  the  Executive  Software 
Inventory  for  DPAS  to  confirm  that 
it  was  current. 

75 

Good  engineering 
practices  with  regards  to 
the  integrity  mechanisms 
of  Commercial  off-the- 
Shelf,  GOTS  and  custom 
developed  solutions  are 
implemented  for 
incoming  and  outgoing 

DISA-OKC 

Integrity  mechanisms 
are  used  for 

interconnections  among 
the  DoD  information 
systems  connecting  to 
DPAS  for  incoming  and 
outgoing  files. 

DISA-OKC 

Confirmed  through  inquiry  that  a 
controlled  interface  was  used  for 
interconnections  among  the  DoD 
information  systems  that  were 
connected  to  DPAS. 

Observed  the  existence  of  ACL, 

No  relevant  exceptions 
noted. 
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files. 

IDS,  Firewalls,  Encryption,  and 
Network  monitoring. 

DISA-Davton 

Using  an  automated  tool, 
performed  passive  network 
monitoring  of  DPAS  related 
network  traffic  over  a  period  of  10 
days  to  confirm  that  no 
unencrypted  traffic  was  transmitted 
over  commercial  or  wireless 
networks. 

Confirmed  through  corroborative 
inquiry  that  interfaced  inputs  were 
automatically  validated  by  the 
system  for  missing  information, 
format,  consistency  and 
reasonableness. 

Observed  system  batch  files  of 
interfaced  inputs  for  control  totals 
and  line  counts. 

Segregation  of  Duties 

76 

Incompatible  duties  have 

DISA-Oeden 

DISA-Oeden 

No  relevant  exceptions 

been  identified  and 

System  Administrator, 

Read  the  DISA-Ogden 

noted. 
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policies  implemented  to 
segregate  these  duties. 

System  Security,  IAO 
and 

IAM  duties  are  all 
separated  at  SMC 

Ogden. 

organizational  chart  and  read  the 
job  descriptions  for  the  positions  at 
DISA-Ogden  in  relation  to  DPAS  to 
confirm  that  there  was  an 
appropriate  segregation  of  duties 
and  that  incompatible  duties  did 
not  exist. 

77 

System  management  job 
descriptions  have  been 
documented. 

DISA-Oeden 

Job  descriptions  of  key 
DPAS  system  support 
personnel  are 
documented. 

DISA-Oeden 

Read  the  job  descriptions  for  key 
system  support  personnel  at  DISA- 
Ogden  to  confirm  they  existed. 

No  relevant  exceptions 
noted. 

78 

System  management 
employees  understand 
their  duties  and 
responsibilities. 

DISA-Oeden 

DISA-Ogden  employees 
understand  their  duties 
and  responsibilities  in 
accordance  with  DISA 
policies  and  procedures. 

DISA-Oeden 

Selected  a  sample  of  employees  and 
confirmed  through  inquiry  that 
they  understood  their  duties  and 
responsibilities.  Observed 
documentation  to  confirm  that 
employees  had  signed  position 
descriptions. 

No  relevant  exceptions 
noted. 

79 

Management  reviews 
effectiveness  of  control 
techniques. 

DFAS-Columbus 
Management 
periodically  assesses  the 
appropriateness  and 
effectiveness  of  control 
techniques  by  updating 
the  Systems  Security 

DFAS-Columbus 

Read  the  DPAS  Systems  Security 
Policy,  Security  Requirements,  and 
Certification  Test  and  Evaluation 
Plan  and  Procedures  to  confirm 
that  each  had  been  updated. 

No  relevant  exceptions 
noted. 
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Policy,  Security 
Requirements,  and 
Certification  Test  and 
Evaluation  Plan  and 
Procedures. 

80 

Formal  procedures  guide 
system  management 
personnel  in  performing 
their  duties. 

DISA-Oeden 

Formal  procedures  are 
documented  and 
accessible  to  guide 
personnel  in  performing 
their  duties. 

DISA-Oeden 

Read  Standard  Operating 

Procedures  used  by  DISA-Ogden 
personnel  for  performance  of  their 
job  duties  in  respect  to  DPAS. 

Standard  operating 
procedures  and  DISA- 
Ogden  SSAA  were  not 
updated  to  reflect 
existing  processes  and 
procedures.  During  our 
fieldwork,  we  noted  that 
standard  operating 
procedures  had  been 
subsequently 
documented. 

81 

Access  procedures 
enforce  the  principles  of 
separation  of  duties  and 
“least  privilege.” 

DFAS-Columbus 

User  Access  profiles  are 
created  for  DPAS  users 
to  limit  access  to  DPAS 
and  enforce  a  separation 
of  duties. 

DFAS-Columbus 

Read  the  access  control  policies  and 
procedures  for  DISA-Ogden  for 
compliance  with  the  principles  of 
separation  of  duties  and  “least 
privilege.” 

No  relevant  exceptions 
noted. 

82 

Active  supervision  and 
review  are  provided  for 

DISA-Oeden 

A  documented 

DISA-Oeden 

Read  the  DISA-Ogden 

No  relevant  exceptions 
noted. 
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all  system  management 
personnel. 

management  structure 
with  supervision  has 
been  established. 

organizational  chart  to  confirm  that 
a  management  structure  was 
established. 

Read  position  descriptions  of  DPAS 
key  support  personnel  to  confirm 
supervisory  responsibilities  were 
established. 

Application  Controls 

1 

Access  controls  have  been 
established  to  enforce 
segregation  of  duties. 

DFAS-Columbus 

The  system  design 
permits  only  authorized 
users  to  enter,  modify,  or 
otherwise  alter  property 
records. 

The  system  incorporates 
adequate  security 
features  that  prevent 
unauthorized  access  to 
the  property  system  by 
unauthorized  individuals 
to  provide  access  control. 

The  system’s  design  can 
be  observed  and  tested  in 
a  production  replica. 

DFAS-Columbus 

Observed  the  DPAS  system  to 
confirm  that  its  design  supported 
segregating  duties. 

Observed  DPAS  to  confirm  that 
users  must  possess  a  valid  Login 
and  Password  to  gain  access  to  the 
system.  Observed  the  entering  of  an 
invalid  User  ID  and  password  to 
confirm  that  the  system  displayed 
an  error  message  to  the  user. 

Observed  the  DPAS  system  to 
confirm  that  each  user  account  was 
assigned  a  Security  Profile  that 
restricted  access  by  module, 
program,  UIC,  and  Hand  Receipt. 

No  relevant  exceptions 
noted. 

2 

Controls  provide 

DFAS-Columbus 

DFAS-Columbus 

No  relevant  exceptions 
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reasonable  assurance  that 
all  asset  acquisitions  are 
recorded. 

The  system  contains 
edits  and  validations  that 
assist  the  user  in 
adequately  recording 
beginning  balances, 
acquisitions,  and 
withdrawals,  and  it 
calculates  ending 
balances  expressed  in 
values  and  physical 
units,  except  for  heritage 
assets  and  stewardship 
land  for  which  all  end  of 
period  balances  are 
expressed  in  physical 
units  only. 

Confirmed  through  observation 
that  the  DPAS  system  contained 
edits  and  validations  that  assisted 
the  user  in  adequately  entering 
beginning  balances,  acquisitions, 
and  withdrawals  through  required 
or  restricted  fields.  Through  re¬ 
performance,  attempted  to  proceed 
beyond  window  that  contained 
fields  without  entry  to  confirm  that 
system  prompts  user  with  warning 
message. 

noted. 

3 

Controls  provide 
reasonable  assurance  that 
all  asset  disposals  are 
recorded. 

DFAS-Columbus 

The  system  contains 
edits  and  validations  that 
assist  the  user  in 
adequately  identifying 
property  as  or  as  held 
for  disposal  or 
retirement. 

DFAS-Columbus 

Observed  fields  in  DPAS  to 
confirm  that  they  provided  the  user 
the  capability  of  indicating  the 
asset  for  disposal  or  retirement. 

Observed  data  fields  in  DPAS  to 
confirm  that  data  entry  into  those 
data  fields  was  required  and 

No  relevant  exceptions 
noted. 
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restricted  to  specified  data  values. 
Through  re-performance, 
attempted  to  proceed  beyond  a 
window  that  contained  fields 
without  entry  to  confirm  that  the 
system  prompts  users  with  warning 
messages. 

4 

Controls  provide 
reasonable  assurance  that 
all  asset  acquisitions  are 
recorded  in  accordance 
with  DoD  and 

Federal  entity’s  policy  as 
applicable. 

DFAS-Columbus 

The  system  provides 
users  the  capability  of 
capturing  and 
categorizing  capital 
assets  according  to 
capitalization  thresholds 
in  compliance  with 
federal  regulation. 

DFAS-Columbus 

Confirmed  through  observation  of 
the  DPAS  system  that  it  had  been 
designed  to  enforce  the  DoD 
Financial  Management  Regulation 
(FMR)  Volume  4,  Chapter  6. 

Observed  the  DPAS  system's 
capitalization  key  fields  to  confirm 
that  it  provided  the  user  the 
capability  of  categorizing  the  asset 
as  a  capital  asset  (value  over 
$100,000). 

Observed  the  DPAS  system's 
validation  messages  that  controlled 
the  user's  classification  of  an  asset 
as  a  capital  asset. 

Observed  that  the  DPAS  system 
calculated  the  annual  amortization 

DPAS  does  not  calculate 
the  annual  amortization 
of  estimated  mat,  clean¬ 
up  costs,  and  the 
unamortized  balance. 
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Results  of  Testing 

of  estimated  material,  clean-up 
costs,  and  the  unamortized  balance. 

5 

Controls  provide 
reasonable  assurance  that 
depreciation  charges  are 
valid. 

DFAS-Columbus 

The  system  contains 
edits  and  validations  that 
assist  the  user  in 
accurately  recording 
assets  for  depreciation. 

DFAS-Columbus 

Observed  the  system  to  confirm 
that  it  recorded  depreciation 
charges  for  assets  that  were  subject 
to  depreciation. 

Observed  fields  that  were  required 
and  or  restricted  for  recording 
assets  that  were  subject  to 
depreciation. 

No  relevant  exceptions 
noted. 

6 

Controls  provide 
reasonable  assurance  that 
asset  acquisitions  are 
accurately  recorded. 

DFAS-Columbus 
Asset-related 
transactions  affecting  the 
asset  register  and/or 
master  file  are  edited 
and  validated  to  prevent 
duplication  and  reduce 
the  likelihood  of  creating 
erroneous  property 
records  to  maintain  the 
integrity  of  data 
recorded  in  the  system; 
identified  errors  are 

DFAS-Columbus 

Read  DPAS  SSAA  Appendix  D  to 
confirm  that  DPAS  contained 
technical  controls  over  user  access, 
authorization,  data  integrity,  and 
data  validation. 

Observed  the  DPAS  system  to 
confirm  that  it  included  editing  and 
validation  functions  that  would  not 
permit  duplication  of  a  stock 
number  or  serial  number 
combination,  or  a  duplicate 

No  relevant  exceptions 
noted. 
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CO  Control  Objective 
No. 


Control  Activity 


corrected  promptly. 

The  system  contains 
edits  and  validations  that 
assist  the  user  in 
accurately  capturing  the 
method  and  costs  of 
acquiring  each  property 
item  or  bulk  property 
items  including  direct 
purchase,  completed 
work-in-process, 
completed  internal  user 
software  in  development, 
capital  lease,  donation, 
loan,  grant,  non¬ 
reciprocal  transfer  or 
reciprocal  transfer,  and 
the  date  of  the 
acquisition. 


Test  Procedure 


Results  of  Testing 


barcode. 

Observed  the  stock  number,  serial 
number,  and  barcode  fields  to 
confirm  that  the  user  was 
prompted  with  an  error  message  if 
the  user  entered  a  duplicate  value. 

Observed  that  significant  error 
messages,  such  as  system  aborts, 
were  logged  to  an  error  log  file  and 
observed  that  the  History  Table 
captured  asset  transactional 
activity. 

Observed  edits  and  validations 
were  built  into  the  system. 
Confirmed  through  observation 
that  the  system  prompted  users 
with  warning  messages  when  values 
were  not  entered  into  required 
fields. 

Observed  the  application's  Hand 
Receipt  Module  to  confirm  that  it 
provided  the  user  the  capability  of 
capturing  the  method  of  asset 
acquisition  with  the  assignment  of 
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the  appropriate  “Action  Code”  and 
“Date  of  Acquisition”  when 
performing  an  “End  Item 

Increase.” 

Observed  that  fields  “Acquisition 
Date”  and  “Action  Code”  that 
allow  a  user  to  capture  the  method 
of  asset  acquisition,  to  confirm  that 
the  fields  were  required  and 
restricted.  Through  re¬ 
performance,  attempted  to  proceed 
beyond  a  window  that  contained 
Acquisition  Date  and  Action  Code 
without  entry  to  confirm  that  the 
system  prompted  the  user  with  a 
warning  message. 

7 

Controls  provide 
reasonable  assurance  that 
asset  disposals  are 
accurately  calculated  and 
recorded  in  accordance 
with  USSGL  policy. 

DFAS-Columbus 

The  system  calculates 
gain  or  loss  at  time  of 
disposal  or  retirement, 
sale,  exchange,  or 
donation. 

The  system  for 
capitalized  property 
classifies  Property  Plant 
&  Equipment  according 

DFAS-Columbus 

Read  the  DPAS  Help  Manual  to 
confirm  that  the  system  calculates  a 
gain  or  loss  at  the  time  of  disposal. 

Observed  the  DPAS  system  to 
confirm  that  it  provided  a  financial 
transaction  for  calculation  of  gain 
or  loss  at  the  time  of  disposal  or 
retirement,  sale,  exchange,  and 
donation. 

No  relevant  exceptions 
noted. 
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No. 


Control  Activity 


to  the  USSGL  and 
generates  data  for  the 
journal  entries  necessary 
for  recording  changes  in 
the  valuation  including 
any  associated  gains  or 
losses. 


Test  Procedure 


Results  of  Testing 


Observed  that  the  transaction  was 
logged  in  the  History  Table, 
indicating  transaction  date,  time, 
and  the  User  ID  of  the  person 
entering  the  transaction. 


Re-performed  test  and  gain  or  loss 
calculations  similar  to  depreciation 
re-performance  tests  to  confirm 
that  a  gain  or  loss  was  accurately 
calculated. 

Observed  the  system  to  confirm 
that  its  configuration  performed  a 
cross-walk  to  the  USSGL. 

Observed  the  application's  asset 
code  field  to  confirm  that  it 
provided  the  user  the  capability  of 
classifying  PP&E  according  to  the 
USSGL. 

Observed  the  asset  code  field  to 
confirm  that  it  was  a  required  or 
restricted  field.  Through  re- _ 


CO 

No. 

Control  Objective 

Control  Activity 

Test  Procedure 

Results  of  Testing 

performance,  attempted  to  proceed 
beyond  a  window  that  contained 
the  asset  code  field  without  an 
entry  to  confirm  that  the  system 
prompted  users  with  a  warning 
message. 

8 

Controls  provide 
reasonable  assurance  that 
depreciation  charges  are 
accurately  calculated  and 
recorded. 

DFAS-Columbus 

The  system  contains 
edits  and  validations  that 
assist  the  user  in 
aggregating  like  items 
into  pools  for  purposes 
of  calculating 
depreciation;  allows 
users  to  reassign  an 
average  useful  life  and 
acquisition  cost;  and 
maintains  original 
unique  property  records 
for  pooled  items. 

The  system  supports  an 
appropriate  depreciation 
method,  such  as  straight 
line,  physical  usage  and 
the  components  needed 
to  calculate  depreciation, 
amortization,  or 

DFAS-Columbus 

Read  the  electronic  DPAS  Help 
Manual  to  confirm  that  the  Asset 
Control  Code  (ACC)  identified  the 
accounting  class  of  assets  and  that 
DPAS  had  capital  threshold  limits. 
Observed  the  application's  Hand 
Receipt  module  and  Catalog 
module  to  confirm  that  they 
provided  the  user  the  capability  to 
aggregate  homogeneous  assets  into 
asset  pools  via  the  ACC  code  field. 

Observed  that  ACC  code  was  a 
required  and  restricted  field. 
Through  re-performance, 
attempted  to  proceed  beyond  a 
window  without  entering  an  ACC 
code  to  confirm  that  the  system 
prompted  users  with  warning  a 
message. 

No  relevant  exceptions 
noted. 
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CO  Control  Objective 
No. 


Control  Activity 


depletion  expense 
including:  original  asset 
value;  estimated  useful 
life;  and  salvage  or 
residual  value. 

The  system  notifies  the 
user  if  information  is 
needed  for  depreciation, 
amortization  or 
depletion  calculations 
when  thresholds  are 
exceeded. 


Standard  programmed 
algorithms  perform 
depreciation 
calculations. 


Test  Procedure 


Results  of  Testing 


Read  Help  Manual  to  confirm  that 
it  included  an  entire  list  of  system 
permitted  ACC  codes. 

Observed  the  application's  Catalog 
module  and  Accounting  module  to 
confirm  that  they  provided  the  user 
the  capability  of  capturing  the 
estimated  useful  life,  depreciation, 
amortization,  depletion  method, 
and  salvage  or  residual  value  for 
each  asset  or  group  of  assets  when 
applicable  and  that  the  system 
supported  only  the  straight-line 
calculation  method. 

Observed  the  DPAS  system  to 
confirm  that  it  prompted  users 
with  the  warning  message 
“Threshold  Exceeded”  if  value 
exceeded  system's  configured 
threshold. 

Re-performed  deprecation 
algorithm  for  a  haphazard  sample 
of  transactions  to  confirm  correct 
calculation  was  being  routinely 


CO  Control  Objective 
No. 


Control  Activity 


Test  Procedure 


Results  of  Testing 


performed. 

9 

Controls  provide 
reasonable  assurance  that 
recorded  asset 
acquisitions  represent 
assets  acquired  by  the 
organization. 

DFAS-Columbus 

The  system  contains 
edits  and  validations  that 
prevent  the  user  from 
entering  erroneous  data 
for  the  acquisition  of 
property  in-transit. 

DFAS-Columbus 

Observed  the  application's  Hand 
Receipt  module  to  confirm  that  it 
provided  the  user  the  capability  of 
identifying  an  asset  as  Inbound, 
Outbound,  or  Not  Applicable  by 
assigning  the  appropriate  “In¬ 
transit  Code.”  Observed  that  the 
In-transit  Code  field  restricted  the 
user  to  selecting  one  of  the  three 
options  and  defaulted  to  “Not 
Applicable.” 

Observed  the  application's  Catalog 
and  Document  Register  to  confirm 
that  they  provided  users  the 
capability  of  tracking  the  In-transit 
Code  of  an  asset  by  storing  the 
asset's  Contract  Number.  Observed 
that  the  Contract  Number  field 
could  be  pre-populated  by  Fed  Log 
or  populated  by  user  entry  and  that 
this  field  was  not  restrictive. 
Observed  the  fields  “In-transit 

Code”  and  “Contract  Number”  to 
confirm  that  they  were  required  or 

No  relevant  exceptions 
noted. 

101 


CO 

No. 

Control  Objective 

Control  Activity 

Test  Procedure 

Results  of  Testing 

restricted.  Through  re¬ 
performance,  attempted  to  proceed 
beyond  a  window  that  contained  a 
Contract  Number  without  an  entry 
to  confirm  that  the  system 
prompted  users  with  warning 
messages. 

10 

Controls  provide 
reasonable  assurance  that 
only  valid  changes  are 
made  to  the  asset  register 
and  master  file. 

DFAS-Columbus 
Personnel  who  are 
responsible  for  asset 
transaction  processing 
have  neither 
responsibility  for  asset 
master  file  maintenance 
nor  update 

access  to  the  asset  master 
file. 

DFAS-Columbus 

Read  the  DPAS  SSAA  Appendix  O, 
“DPAS  Security  Awareness 

Guide,”  to  confirm  that  the  roles 
and  responsibilities  were  defined 
for  the  System  Administrator,  IAO, 
Site  Security  Officer,  and  Users. 

Observed  documentation  that 
defined  user  roles  and 
responsibilities. 

Observed  the  application  to 
confirm  that  users  must  possess  a 
valid  Login  and  Password  to  gain 
access  to  the  system. 

Observed  that  each  user  account 
was  assigned  a  Security  Profile  that 

No  relevant  exceptions 
noted. 
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restricted  access  by  module, 
program,  UIC,  and  Hand  Receipt. 

Observed  documentation  and 
communication  between  the  PBO 
and  the  Information  Systems 
Security  Officer  responsible  for 
setting  up  Security  Profile  that 
dictated  which  modules  and 
functions  each  user  had  access  to. 

11 

Controls  provide 
reasonable  assurance  that 
erroneous  transactions 
are  identified  without 
being  processed  and 
without  undue  disruption 
of  the  processing  of  other 
valid  transactions. 

DISA-Davton 
Transactions  that  are 
reprocessed  are 
controlled  in  a  similar 
manner  to  the  original 
transactions  with 
appropriate 
modifications  (for  both 
business  process  and 
security  controls). 

The  system  provides  an 
audit  trail  of  all 
transactions  processed, 
transaction  errors,  error 
descriptions,  and  error 
correction  procedures. 

DISA-Davton 

Confirmed  through  inquiry  that 
erroneous  transactions  were 
reprocessed  in  a  similar  manner  to 
the  original  transactions. 

Read  Standard  Operating 
Procedures  to  confirm  that 
documented  procedures  existed  for 
monitoring  transaction  processing. 

Observed  that  transactions  were 
reprocessed  in  a  manner  similar  to 
original  transactions. 

Observed  the  batch  status  file  to 
confirm  that  erroneous 
transactions 

No  standard  operating 
procedures  existed  for 
monitoring  transaction 
processing.  In  addition, 
error  correction 
procedures  were  not 
documented  and 
maintained.  Finally,  the 
majority  of  the 
transaction  processing, 
monitoring,  and  error 
correction  functions  were 
performed  by  one 
individual  at  DISA  who 
was  the  only  person  who 
had  the  full  technical 
knowledge  of  DPAS  to 
perform  all  of  the 
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were  monitored,  identified,  and 
corrected. 

Observed  the  batch  status  file  to 
confirm  that  it  recorded  all 
successful  and  unsuccessful 
batches. 

Observed  the  Batch  Error  History 
report  and  descriptions  to  confirm 
that  erroneous  transactions  were 
monitored,  identified,  and 
corrected  and  that  correction 
procedures  were  recorded. 

functions.  The 
unavailability  of  this 
person  could  impact  the 
timeliness  and  quality  of 
system  transaction  file 
processing. 

12 

Controls  provide 
reasonable  assurance  that 
transaction  data  entered 
for  processing  via 
automated  interface  are 
subject  to  a  variety  of 
controls  to  check  for 
accuracy,  completeness 
and  validity  and  that 
input  data  are  validated 
and  edited  as  close  to  the 
point  of  origination  as 
possible. 

DISA-Davton 

Interfaced  inputs  are 
automatically  validated 
by  the  system  for  missing 
information,  format, 
consistency  and 
reasonableness.  Checks 
for  valid  information  are 
made  when  inputs  are 
received.  Transactions 
failing  edit  and 
validation  routines  are 
posted  to  a  suspense  file 
and  reported.  Where  a 

DISA-Davton 

Confirmed  through  inquiry  that 
interfaced  inputs  were 
automatically  validated  by  the 
system  for  missing  information, 
format,  consistency  and 
reasonableness. 

Observed  the  application  to 
confirm  that  it  would  reject  and  not 
process  erroneous  transactions. 

Observed  log  files  that  confirm  the 
logging  of  successful  and 
unsuccessful  transactions  between 

No  relevant  exceptions 
noted. 
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Control  Activity 


file  contains  valid  and 
invalid  transactions, 
processing  of  valid 
transactions  is  not 
delayed. 

Interfaced  inputs  are 
transmitted  in  batch  files 
and  batch  control  totals 
are  used  to  balance  sent 
transactions  to  received 
transactions.  Out-of¬ 
balance  conditions  are 
reported,  corrected  and 
reentered. 


Test  Procedure 


Results  of  Testing 


interfaces. 

Observed  the  error  file  to  confirm 
that  erroneous  transactions  were 
monitored,  identified,  and 
corrected. 

Observed  system  batch  files  of 
interfaced  inputs  for  control  totals 
and  line  counts. 

Observed  the  suspense  file  to 
confirm  that  erroneous 
transactions  were  monitored, 
identified,  and  corrected. 

Inspected  a  haphazard  sample  of 
batch  transaction  errors  to  confirm 
that  all  7  transaction  errors  were 
corrected. 


Observed  that  rerun  transactions 
were  subjected  to  the  same  quality 
review  as  the  original  transactions. 


Section  IV:  Supplemental  Information  Provided  by  the  Defense 

Information  Systems  Agency 
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This  section  has  been  prepared  by  DISA  and  is  included  to  provide  user  organizations 
with  infonnation  DISA  believes  will  be  of  interest  to  such  organizations  but  is  not 
covered  in  the  scope  or  control  objectives  established  for  the  Statement  on  Auditing 
Standards  70  review.  Specifically  included  is  a  summary  of  procedures  that  DISA  has 
put  into  place  to  enable  recovery  from  a  disaster  affecting  the  DISA  location  where 
DPAS  is  housed  and  maintained. 

This  information  has  not  been  subjected  to  the  procedures  applied  to  the 
examination  of  the  description  of  controls  presented  in  Sections  II  and  III  of  this 
report,  and  accordingly,  the  DoD  OIG  expresses  no  opinion  regarding  the 
completeness  and  accuracy  of  this  information. 

To  accommodate  a  major  disaster  at  any  major  DISA  processing  center,  DISA  has 
established  the  DISA  Continuity  and  Test  Facility  (DCTF)  at  Slidell,  LA.  This  facility  is 
equipped  with  computational,  DASD  (Direct  Access  Storage  Device),  and 
telecommunications  resources  sized  to  provide  a  fully  functional  host  site  with  the 
capacity  to  support  a  major  disaster  at  any  DISA  processing  center.  The  Continuity  of 
Operations  support  agreement  between  DPAS  as  the  customer  and  DISA  as  the  provider 
of  processing  system  and  communications  services  provides  for  restoring  host  site 
processing  in  the  event  of  a  major  disaster  and  the  timely  resolution  of  problems  during 
other  disruptions  that  adversely  affect  DPAS  processing. 

The  enterprise  backup  process  is  managed  by  the  DISA-Oklahoma  City  Storage  Team. 
Backup  tapes  containing  the  incremental  daily  and  the  complete  weekly  backups  are 
created  at  Dayton  with  DISA-Oklahoma  City  oversight.  The  tapes  are  rotated  off-site  to 
Data  Storage  Centers  in  Cincinnati,  OH,  for  storage  on  a  predetennined  schedule. 

The  Crisis  Management  Team  (CMT)  at  DISA-Ogden  is  responsible  for  declaring  that  a 
disaster  has  occurred  and  to  initiate  the  Business  Continuity  Plan.  The  CMT  will  then 
activate  the  following  response  teams:  Communications  Team,  Recovery  Coordination 
Team,  Site  Recovery  Team,  and  the  Crisis  Support  Team  (CST).  In  the  event  of  disaster 
recovery  when  the  DISA-Oklahoma  City  or  DISA-Ogden  sites  are  not  available  to 
restore  the  data,  the  DPAS  customer  has  to  request  DISA-Dayton  personnel  to  initiate  the 
data  restore  process.  Each  team  has  a  specific  set  of  responsibilities  defined  in  the 
Business  Continuity  Plan.  The  contact  information  for  each  individual  on  each  team  is 
also  included  in  the  Business  Continuity  Plan.  The  plan  is  required  to  be  tested  on  an 
annual  basis.  DPAS  personnel  and  select  user  sites  participate  in  the  yearly  Continuity  of 
Operations  test  to  ensure  that  the  process  works  correctly  and  that  documentation  is 
updated  appropriately. 
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Acronyms  and  Abbreviations 


ACC 

Asset  Control  Code 

ACL 

Access  Control  List 

ADP 

Automated  Data  Processing 

CCB 

Configuration  Control  Board 

Cl 

Configured  Items 

CMTS 

Configuration  Management  Tracking  System 

DAA 

Designated  Approving  Authority 

DECC 

Defense  Enterprise  Computing  Center 

DFAS 

Defense  Finance  and  Accounting  Service 

DISA 

Defense  Information  Systems  Agency 

DISA  OKC 

DISA  Oklahoma  City 

DITSCAP 

Department  of  Defense  Infonnation  Technology  Security  Certification  and 
Accreditation  Process 

DoD 

Department  of  Defense 

DoD  OIG 

Department  of  Defense  Office  of  Inspector  General 

DPAS 

Defense  Property  Accountability  System 

FSO 

Field  Security  Operations 

GOTS 

Government  off-the-Shelf 

HP/UX 

Hewlett  Packard/Unix 

IA 

Infonnation  Assurance 

IAM 

Infonnation  Assurance  Manager 

IAO 

Infonnation  Assurance  Officer 

ID 

Identification 

IDS 

Intrusion  Detection  System 

ISS 

Internet  Security  Systems 

IT 

Infonnation  Technology 

MAC 

Mission  Assurance  Category 

NAVSISA 

Naval  Supply  Information  Systems  Activity 

NIST 

National  Institute  of  Standards  and  Technology 

NS  A 

National  Security  Agency 

PBO 

Property  Book  Officer 

PDCD 

Portable  Data  Collection  Devices 

PTR 

Program  Trouble  Report 

SAAR 

System  Authorization  Access  Request 

SCR 

System  Change  Request 

SMC 

System  Management  Center 

SRR 

System  Readiness  Review 

SSAA 

System  Security  Authorization  Agreement 

STIG 

Security  Technical  Implementation  Guide 

TASO 

Terminal  Area  Security  Officer 

UIC 

Unit  Identification  Code 

ill 


ULLS-S4 

USSGL 

VMS 

VPN 


Unit  Level  Logistics  System-Supply 

United  States  Government  Standard  General  Ledger 

Vulnerability  Management  System 

Virtual  Private  Network 
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Report  Distribution 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense,  Acquisition,  Technology  and  Logistics 
Under  Secretary  of  Defense  (Comptroller)/Chief  Financial  Officer 
Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Program  Analysis  and  Evaluation 

Department  of  the  Navy 

Naval  Inspector  General 

Auditor  General,  Department  of  the  Navy 

Commanding  Officer,  Naval  Supply  Information  Systems  Activity 

Combatant  Command 

U.S.  Joint  Forces  Command 

Other  Defense  Organizations 

Defense  Finance  and  Accounting  Service 
Defense  Information  Systems  Agency 

Non-Defense  Federal  Organizations  and  Individuals 

Office  of  Management  and  Budget 
General  Accountability  Office 

Congressional  Committees  and  Subcommittees,  Chairman  and  Ranking 
Minority  Members 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 
Senate  Committee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  Defense,  Committee  on  Appropriations 
House  Committee  on  Anned  Services 
House  Committee  on  Government  Reform 

House  Subcommittee  on  Government  Efficiency  and  Financial  Management,  Committee 
on  Government  Reform 

House  Subcommittee  on  National  Security,  Emerging  Threats,  and  International 
Relations,  Committee  on  Government  Reform 
House  Subcommittee  on  Technology,  Information  Policy,  Intergovernmental 
Relations,  and  the  Census,  Committee  on  Government  Reform 
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Team  Members 


The  Defense  Financial  Auditing  Service,  Department  of  Defense  Office  of  Inspector 
General  produced  this  report. 

Paul  J.  Granetto 
Patricia  A.  Marsh 
Addie  M.  Beima 
Kenneth  H.  Stavenjord 
Yolanda  C.  Watts 
LTC  Shurman  Vines 
Jackie  J.  Vos 
William  Zeh 
Charles  Dekle 
Kimberly  D.  Brothers 
Michael  E.  Williams 


